diff --git a/.cargo/config.toml b/.cargo/config.toml new file mode 100644 index 0000000..c91c3f3 --- /dev/null +++ b/.cargo/config.toml @@ -0,0 +1,2 @@ +[net] +git-fetch-with-cli = true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61bb994..b0bb227 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,7 @@ on: [push, pull_request] env: CARGO_TERM_COLOR: always + RUSTFLAGS: "-Dwarnings" jobs: build: @@ -18,5 +19,5 @@ jobs: run: cargo test - name: Fmt run: cargo fmt -- --check - # - name: Clippy - # run: RUSTFLAGS="-Dwarnings" cargo clippy + - name: Clippy + run: cargo clippy diff --git a/Cargo.toml b/Cargo.toml index 57687ad..f8bcbff 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,27 +1,35 @@ [package] -name = "oidc4vp" +name = "oid4vp" version = "0.1.0" edition = "2021" authors = ["Spruce Systems, Inc."] license = "MIT OR Apache-2.0" description = "OpenID Connect for Verifiable Presentations" repository = "https://github.com/spruceid/oidc4vp-rs/" -documentation = "https://docs.rs/oidc4vp/" +documentation = "https://docs.rs/oid4vp/" [dependencies] -# openidconnect = { version = "2.4.0", default-features = false } -jsonpath-rust = "0.2.0" -serde = { version = "1.0.147", features = ["derive"] } -serde_json = "1.0.87" -ssi = { version = "0.6.0", default-features = false } -thiserror = "1.0.37" -# jsonschema = { version = "0.16.1", default-features = false } -lazy_static = "1.4.0" -# schemars = { version = "0.8.11", default-features = false } +anyhow = "1.0.75" +async-trait = "0.1.73" +base64 = "0.21.4" +did-web = "0.2.2" +josekit = { git = "https://github.com/cobward/josekit-rs", rev = "635c8a7" } +p256 = { version = "0.13.2", features = ["jwk"] } +reqwest = "0.11.20" +serde = "1.0.188" +serde_cbor = "0.11.2" +serde_json = "1.0.107" +serde_qs = "0.12.0" +serde_urlencoded = "0.7.1" +ssi = "0.7.0" +thiserror = "1.0.49" +tracing = "0.1.37" +url = { version = "2.4.1", features = ["serde"] } +x509-cert = "0.2.4" [dev-dependencies] serde_path_to_error = "0.1.8" - +tokio = { version = "1.32.0", features = ["macros"] } [target.'cfg(target_arch = "wasm32")'.dependencies] uuid = { version = "1.2", features = ["v4", "serde", "js"] } diff --git a/src/core/authorization_request/mod.rs b/src/core/authorization_request/mod.rs new file mode 100644 index 0000000..8c8c77a --- /dev/null +++ b/src/core/authorization_request/mod.rs @@ -0,0 +1,355 @@ +use std::ops::{Deref, DerefMut}; + +use anyhow::{anyhow, bail, Context, Error, Result}; +use serde::{Deserialize, Serialize}; +use serde_json::Value as Json; +use url::Url; + +use self::{ + parameters::{ + ClientId, ClientIdScheme, Nonce, PresentationDefinition, PresentationDefinitionUri, + RedirectUri, ResponseMode, ResponseType, ResponseUri, + }, + verification::verify_request, +}; + +use super::{ + object::{ParsingErrorContext, UntypedObject}, + profile::Wallet, + util::default_http_client, +}; + +pub mod parameters; +pub mod verification; + +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(try_from = "UntypedObject", into = "UntypedObject")] +pub struct AuthorizationRequestObject( + UntypedObject, + ClientId, + ClientIdScheme, + ResponseMode, + ResponseType, + PresentationDefinitionIndirection, + Url, + Nonce, +); + +/// An Authorization Request. +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct AuthorizationRequest { + pub client_id: String, + #[serde(flatten)] + pub request_indirection: RequestIndirection, +} + +/// A RequestObject, passed by value or by reference. +#[derive(Debug, Clone, Serialize, Deserialize)] +pub enum RequestIndirection { + #[serde(rename = "request")] + ByValue(String), + #[serde(rename = "request_uri")] + ByReference(Url), +} + +/// A PresentationDefinition, passed by value or by reference +#[derive(Debug, Clone)] +pub enum PresentationDefinitionIndirection { + ByValue(PresentationDefinition), + ByReference(Url), +} + +impl AuthorizationRequest { + /// Validate the [AuthorizationRequest] according to the client_id scheme and return the parsed + /// [RequestObject]. + /// + /// Custom wallet metadata can be provided, otherwise the default metadata for this profile is used. + pub async fn validate_with_http_client( + self, + wallet_profile: &WP, + http_client: &reqwest::Client, + ) -> Result { + let jwt = match self.request_indirection { + RequestIndirection::ByValue(jwt) => jwt, + RequestIndirection::ByReference(url) => http_client + .get(url.clone()) + .send() + .await + .context(format!("failed to GET {url}"))? + .error_for_status() + .context(format!("failed to GET {url}"))? + .text() + .await + .context(format!("failed to parse data from {url}"))?, + }; + let aro = verify_request(wallet_profile, jwt, http_client) + .await + .context("unable to validate Authorization Request")?; + if self.client_id.as_str() != aro.client_id().0.as_str() { + bail!( + "Authorization Request and Request Object have different client ids: '{}' vs. '{}'", + self.client_id, + aro.client_id().0 + ); + } + Ok(aro) + } + + /// Validate the [AuthorizationRequest] according to the client_id scheme and return the parsed + /// [RequestObject]. + /// + /// Custom wallet metadata can be provided, otherwise the default metadata for this profile is used. + /// + /// This method uses the library default http client to fetch the request object if it is passed by reference. + pub async fn validate( + self, + wallet_profile: &WP, + ) -> Result { + self.validate_with_http_client(wallet_profile, &default_http_client()?) + .await + } + + /// Encode as [Url], using the `authorization_endpoint` as a base. + /// ``` + /// # use oid4vp::core::authorization_request::AuthorizationRequest; + /// # use oid4vp::core::authorization_request::RequestIndirection; + /// # use url::Url; + /// let authorization_endpoint: Url = "example://".parse().unwrap(); + /// let authorization_request = AuthorizationRequest { + /// client_id: "xyz".to_string(), + /// request_indirection: RequestIndirection::ByValue("test".to_string()), + /// }; + /// + /// let authorization_request_url = authorization_request.to_url(authorization_endpoint).unwrap(); + /// + /// assert_eq!(authorization_request_url.as_str(), "example://?client_id=xyz&request=test"); + /// ``` + pub fn to_url(self, mut authorization_endpoint: Url) -> Result { + let query = serde_urlencoded::to_string(self)?; + authorization_endpoint.set_query(Some(&query)); + Ok(authorization_endpoint) + } + + /// Parse from [Url], validating the authorization_endpoint. + /// ``` + /// # use oid4vp::core::authorization_request::AuthorizationRequest; + /// # use oid4vp::core::authorization_request::RequestIndirection; + /// # use url::Url; + /// let url: Url = "example://?client_id=xyz&request=test".parse().unwrap(); + /// let authorization_endpoint: Url = "example://".parse().unwrap(); + /// + /// let authorization_request = AuthorizationRequest::from_url( + /// url, + /// &authorization_endpoint + /// ).unwrap(); + /// + /// assert_eq!(authorization_request.client_id, "xyz"); + /// + /// let RequestIndirection::ByValue(request_object) = + /// authorization_request.request_indirection + /// else { + /// panic!("expected request-by-value") + /// }; + /// + /// assert_eq!(request_object, "test"); + /// ``` + pub fn from_url(url: Url, authorization_endpoint: &Url) -> Result { + let query = url + .query() + .ok_or(anyhow!("missing query params in Authorization Request uri"))? + .to_string(); + let fnd = url.authority(); + let exp = authorization_endpoint.authority(); + if fnd != exp { + bail!("unexpected authorization_endpoint authority, expected '{exp}', received '{fnd}'") + } + let fnd = url.path(); + let exp = authorization_endpoint.path(); + if fnd != exp { + bail!("unexpected authorization_endpoint path, expected '{exp}', received '{fnd}'") + } + Self::from_query_params(&query) + } + + /// Parse from urlencoded query parameters. + /// ``` + /// # use oid4vp::core::authorization_request::AuthorizationRequest; + /// # use oid4vp::core::authorization_request::RequestIndirection; + /// let query = "client_id=xyz&request=test"; + /// + /// let authorization_request = AuthorizationRequest::from_query_params(query).unwrap(); + /// + /// assert_eq!(authorization_request.client_id, "xyz"); + /// + /// let RequestIndirection::ByValue(request_object) = authorization_request.request_indirection + /// else { panic!("expected request-by-value") }; + /// assert_eq!(request_object, "test"); + /// ``` + pub fn from_query_params(query_params: &str) -> Result { + serde_urlencoded::from_str(query_params) + .context("unable to parse Authorization Request from query params") + } +} + +impl AuthorizationRequestObject { + pub fn client_id(&self) -> &ClientId { + &self.1 + } + + pub fn client_id_scheme(&self) -> &ClientIdScheme { + &self.2 + } + + pub async fn resolve_presentation_definition_with_http_client( + &self, + http_client: reqwest::Client, + ) -> Result { + match &self.5 { + PresentationDefinitionIndirection::ByValue(by_value) => Ok(by_value.clone()), + PresentationDefinitionIndirection::ByReference(by_reference) => { + let value: Json = http_client + .get(by_reference.clone()) + .send() + .await + .context(format!( + "failed to GET Presentation Definition from '{by_reference}'" + ))? + .error_for_status() + .context(format!( + "failed to GET Presentation Definition from '{by_reference}'" + ))? + .json() + .await + .context(format!( + "response received from '{by_reference}' was not JSON" + ))?; + value.try_into() + } + } + } + + /// Uses the default library http client. + pub async fn resolve_presentation_definition(&self) -> Result { + self.resolve_presentation_definition_with_http_client(default_http_client()?) + .await + } + + pub fn is_id_token_requested(&self) -> Option { + match self.4 { + ResponseType::VpToken => Some(false), + ResponseType::VpTokenIdToken => Some(true), + ResponseType::Unsupported(_) => None, + } + } + + pub fn response_mode(&self) -> &ResponseMode { + &self.3 + } + + pub fn response_type(&self) -> &ResponseType { + &self.4 + } + + /// Uri to submit the response at. + /// + /// AKA [ResponseUri] or [RedirectUri] depending on [ResponseMode]. + pub fn return_uri(&self) -> &Url { + &self.6 + } + + pub fn nonce(&self) -> &Nonce { + &self.7 + } +} + +impl From for UntypedObject { + fn from(value: AuthorizationRequestObject) -> Self { + let mut inner = value.0; + inner.insert(value.1); + inner.insert(value.2); + inner + } +} + +impl TryFrom for AuthorizationRequestObject { + type Error = Error; + + fn try_from(value: UntypedObject) -> std::result::Result { + let client_id = value.get().parsing_error()?; + let client_id_scheme = value + .get() + .parsing_error() + .context("this library cannot handle requests that omit client_id_scheme")?; + + let redirect_uri = value.get::(); + let response_uri = value.get::(); + + let (return_uri, response_mode) = match ( + redirect_uri, + response_uri, + value.get_or_default::().parsing_error()?, + ) { + (_, _, ResponseMode::Unsupported(m)) => { + bail!("this 'response_mode' ({m}) is not currently supported") + } + (Some(_), Some(_), _) => { + bail!("'response_uri' and 'redirect_uri' are mutually exclusive") + } + (_, None, response_mode @ ResponseMode::DirectPost) + | (_, None, response_mode @ ResponseMode::DirectPostJwt) => { + bail!("'response_uri' is required for this 'response_mode' ({response_mode})") + } + (_, Some(uri), response_mode @ ResponseMode::DirectPost) + | (_, Some(uri), response_mode @ ResponseMode::DirectPostJwt) => { + (uri.parsing_error()?.0, response_mode) + } + }; + + let response_type: ResponseType = value.get().parsing_error()?; + + let pd_indirection = match ( + value.get::(), + value.get::(), + ) { + (None, None) => bail!( + "one of 'presentation_definition' and 'presentation_definition_uri' are required" + ), + (Some(_), Some(_)) => { + bail!("'presentation_definition' and 'presentation_definition_uri' are mutually exclusive") + } + (Some(by_value), None) => { + PresentationDefinitionIndirection::ByValue(by_value.parsing_error()?) + } + (None, Some(by_reference)) => { + PresentationDefinitionIndirection::ByReference(by_reference.parsing_error()?.0) + } + }; + + let nonce = value.get().parsing_error()?; + + Ok(Self( + value, + client_id, + client_id_scheme, + response_mode, + response_type, + pd_indirection, + return_uri, + nonce, + )) + } +} + +impl Deref for AuthorizationRequestObject { + type Target = UntypedObject; + + fn deref(&self) -> &Self::Target { + &self.0 + } +} + +impl DerefMut for AuthorizationRequestObject { + fn deref_mut(&mut self) -> &mut Self::Target { + &mut self.0 + } +} diff --git a/src/core/authorization_request/parameters.rs b/src/core/authorization_request/parameters.rs new file mode 100644 index 0000000..6e4968c --- /dev/null +++ b/src/core/authorization_request/parameters.rs @@ -0,0 +1,508 @@ +use std::fmt; + +use crate::core::{ + object::{ParsingErrorContext, TypedParameter, UntypedObject}, + util::default_http_client, +}; +use anyhow::{bail, Context, Error, Ok}; +use serde::{Deserialize, Serialize}; +use serde_json::Value as Json; +use url::Url; + +use super::AuthorizationRequestObject; + +const DID: &str = "did"; +const ENTITY_ID: &str = "entity_id"; +const PREREGISTERED: &str = "pre-registered"; +const REDIRECT_URI: &str = "redirect_uri"; +const X509_SAN_DNS: &str = "x509_san_dns"; +const X509_SAN_URI: &str = "x509_san_uri"; + +#[derive(Debug, Clone)] +pub struct ClientId(pub String); + +#[derive(Debug, Clone, PartialEq)] +pub enum ClientIdScheme { + Did, + EntityId, + PreRegistered, + RedirectUri, + X509SanDns, + X509SanUri, + Other(String), +} + +impl TypedParameter for ClientId { + const KEY: &'static str = "client_id"; +} + +impl TryFrom for ClientId { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: ClientId) -> Self { + Json::String(value.0) + } +} + +impl TypedParameter for ClientIdScheme { + const KEY: &'static str = "client_id_scheme"; +} + +impl From for ClientIdScheme { + fn from(s: String) -> Self { + match s.as_str() { + DID => ClientIdScheme::Did, + ENTITY_ID => ClientIdScheme::EntityId, + PREREGISTERED => ClientIdScheme::PreRegistered, + REDIRECT_URI => ClientIdScheme::RedirectUri, + X509_SAN_DNS => ClientIdScheme::X509SanDns, + X509_SAN_URI => ClientIdScheme::X509SanUri, + _ => ClientIdScheme::Other(s), + } + } +} + +impl From for String { + fn from(cis: ClientIdScheme) -> Self { + match cis { + ClientIdScheme::Did => DID.into(), + ClientIdScheme::EntityId => ENTITY_ID.into(), + ClientIdScheme::PreRegistered => PREREGISTERED.into(), + ClientIdScheme::RedirectUri => REDIRECT_URI.into(), + ClientIdScheme::X509SanDns => X509_SAN_DNS.into(), + ClientIdScheme::X509SanUri => X509_SAN_URI.into(), + ClientIdScheme::Other(u) => u, + } + } +} + +impl TryFrom for ClientIdScheme { + type Error = Error; + + fn try_from(value: Json) -> Result { + serde_json::from_value(value) + .map(String::into) + .map_err(Error::from) + } +} + +impl From for Json { + fn from(value: ClientIdScheme) -> Self { + Json::String(value.into()) + } +} + +impl fmt::Display for ClientIdScheme { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + match self { + ClientIdScheme::Did => DID, + ClientIdScheme::EntityId => ENTITY_ID, + ClientIdScheme::PreRegistered => PREREGISTERED, + ClientIdScheme::RedirectUri => REDIRECT_URI, + ClientIdScheme::X509SanDns => X509_SAN_DNS, + ClientIdScheme::X509SanUri => X509_SAN_URI, + ClientIdScheme::Other(o) => o, + } + .fmt(f) + } +} + +/// `client_metadata` field in the Authorization Request. +#[derive(Debug, Clone)] +pub struct ClientMetadata(pub UntypedObject); + +impl TypedParameter for ClientMetadata { + const KEY: &'static str = "client_metadata"; +} + +impl From for Json { + fn from(cm: ClientMetadata) -> Self { + cm.0 .0.into() + } +} + +impl TryFrom for ClientMetadata { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(serde_json::from_value(value).map(ClientMetadata)?) + } +} + +impl ClientMetadata { + /// Resolves the client metadata from the Authorization Request Object. + /// + /// If the client metadata is not passed by reference or value if the Authorization Request Object, + /// then this function will return an error. + /// + /// Uses the library's default http client. + pub async fn resolve(request: &AuthorizationRequestObject) -> Result { + Self::resolve_with_http_client(request, &default_http_client()?).await + } + + /// Resolves the client metadata from the Authorization Request Object. + /// + /// If the client metadata is not passed by reference or value if the Authorization Request Object, + /// then this function will return an error. + pub async fn resolve_with_http_client( + request: &AuthorizationRequestObject, + http_client: &reqwest::Client, + ) -> Result { + if let Some(metadata) = request.get() { + return metadata; + } + + if let Some(metadata_uri) = request.get::() { + let uri = metadata_uri.parsing_error()?; + return http_client + .get(uri.0.clone()) + .send() + .await + .context(format!("failed to GET {}", uri.0))? + .error_for_status() + .context(format!("failed to GET {}", uri.0))? + .json() + .await + .map(ClientMetadata) + .context(format!( + "could not parse response from GET '{}' as JSON", + uri.0 + )); + } + + bail!("") + } +} + +/// `client_metadata_uri` field in the Authorization Request. +#[derive(Debug, Clone)] +pub struct ClientMetadataUri(pub Url); + +impl TypedParameter for ClientMetadataUri { + const KEY: &'static str = "client_metadata_uri"; +} + +impl From for Json { + fn from(cmu: ClientMetadataUri) -> Self { + cmu.0.to_string().into() + } +} + +impl TryFrom for ClientMetadataUri { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(serde_json::from_value(value).map(ClientMetadataUri)?) + } +} + +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct Nonce(pub String); + +impl TypedParameter for Nonce { + const KEY: &'static str = "nonce"; +} + +impl TryFrom for Nonce { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: Nonce) -> Self { + Json::String(value.0) + } +} + +#[derive(Debug, Clone)] +pub struct Audience(pub String); + +impl TypedParameter for Audience { + const KEY: &'static str = "aud"; +} + +impl TryFrom for Audience { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: Audience) -> Json { + Json::String(value.0) + } +} + +/// `redirect_uri` field in the Authorization Request. +#[derive(Debug, Clone)] +pub struct RedirectUri(pub Url); + +impl TypedParameter for RedirectUri { + const KEY: &'static str = "redirect_uri"; +} + +impl From for Json { + fn from(cmu: RedirectUri) -> Self { + cmu.0.to_string().into() + } +} + +impl TryFrom for RedirectUri { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(serde_json::from_value(value).map(RedirectUri)?) + } +} + +/// `response_uri` field in the Authorization Request. +#[derive(Debug, Clone)] +pub struct ResponseUri(pub Url); + +impl TypedParameter for ResponseUri { + const KEY: &'static str = "response_uri"; +} + +impl From for Json { + fn from(cmu: ResponseUri) -> Self { + cmu.0.to_string().into() + } +} + +impl TryFrom for ResponseUri { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(serde_json::from_value(value).map(ResponseUri)?) + } +} + +const DIRECT_POST: &str = "direct_post"; +const DIRECT_POST_JWT: &str = "direct_post.jwt"; + +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(into = "String", from = "String")] +pub enum ResponseMode { + /// The `direct_post` response mode as defined in OID4VP. + DirectPost, + /// The `direct_post.jwt` response mode as defined in OID4VP. + DirectPostJwt, + /// A ResponseMode that is unsupported by this library. + Unsupported(String), +} + +impl TypedParameter for ResponseMode { + const KEY: &'static str = "response_mode"; +} + +impl From for ResponseMode { + fn from(s: String) -> Self { + match s.as_str() { + DIRECT_POST => ResponseMode::DirectPost, + DIRECT_POST_JWT => ResponseMode::DirectPostJwt, + _ => ResponseMode::Unsupported(s), + } + } +} + +impl From for String { + fn from(s: ResponseMode) -> Self { + match s { + ResponseMode::DirectPost => DIRECT_POST.into(), + ResponseMode::DirectPostJwt => DIRECT_POST_JWT.into(), + ResponseMode::Unsupported(u) => u, + } + } +} + +impl TryFrom for ResponseMode { + type Error = Error; + + fn try_from(value: Json) -> Result { + let s: String = serde_json::from_value(value)?; + Ok(s.into()) + } +} + +impl From for Json { + fn from(rm: ResponseMode) -> Self { + String::from(rm).into() + } +} + +impl fmt::Display for ResponseMode { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + match self { + ResponseMode::DirectPost => DIRECT_POST, + ResponseMode::DirectPostJwt => DIRECT_POST_JWT, + ResponseMode::Unsupported(u) => u, + } + .fmt(f) + } +} + +impl Default for ResponseMode { + fn default() -> Self { + Self::Unsupported("fragment".into()) + } +} + +impl ResponseMode { + pub fn is_jarm(&self) -> Result { + match self { + ResponseMode::DirectPost => Ok(false), + ResponseMode::DirectPostJwt => Ok(true), + ResponseMode::Unsupported(rm) => bail!("unsupported response_mode: {rm}"), + } + } +} + +const VP_TOKEN: &str = "vp_token"; +const VP_TOKEN_ID_TOKEN: &str = "vp_token id_token"; + +#[derive(Debug, Clone, Deserialize, Serialize, PartialEq)] +#[serde(into = "String", from = "String")] +pub enum ResponseType { + VpToken, + VpTokenIdToken, + Unsupported(String), +} + +impl From for String { + fn from(rt: ResponseType) -> Self { + match rt { + ResponseType::VpToken => VP_TOKEN.into(), + ResponseType::VpTokenIdToken => VP_TOKEN_ID_TOKEN.into(), + ResponseType::Unsupported(s) => s, + } + } +} + +impl From for ResponseType { + fn from(s: String) -> Self { + match s.as_str() { + VP_TOKEN => ResponseType::VpToken, + VP_TOKEN_ID_TOKEN => ResponseType::VpTokenIdToken, + _ => ResponseType::Unsupported(s), + } + } +} + +impl TypedParameter for ResponseType { + const KEY: &'static str = "response_type"; +} + +impl TryFrom for ResponseType { + type Error = Error; + + fn try_from(value: Json) -> Result { + let s: String = serde_json::from_value(value)?; + Ok(s.into()) + } +} + +impl From for Json { + fn from(rt: ResponseType) -> Self { + Json::String(rt.into()) + } +} + +#[derive(Debug, Clone)] +pub struct State(pub String); + +impl TypedParameter for State { + const KEY: &'static str = "state"; +} + +impl TryFrom for State { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: State) -> Self { + Json::String(value.0) + } +} + +// TODO: Revisit the inner parsed type. +#[derive(Debug, Clone)] +pub struct PresentationDefinition { + raw: Json, + parsed: crate::presentation_exchange::PresentationDefinition, +} + +impl PresentationDefinition { + pub fn into_parsed(self) -> crate::presentation_exchange::PresentationDefinition { + self.parsed + } + + pub fn parsed(&self) -> &crate::presentation_exchange::PresentationDefinition { + &self.parsed + } +} + +impl TryFrom for PresentationDefinition { + type Error = Error; + + fn try_from( + parsed: crate::presentation_exchange::PresentationDefinition, + ) -> Result { + let raw = serde_json::to_value(parsed.clone())?; + Ok(Self { raw, parsed }) + } +} + +impl TypedParameter for PresentationDefinition { + const KEY: &'static str = "presentation_definition"; +} + +impl TryFrom for PresentationDefinition { + type Error = Error; + + fn try_from(value: Json) -> Result { + let parsed = serde_json::from_value(value.clone())?; + Ok(Self { raw: value, parsed }) + } +} + +impl From for Json { + fn from(value: PresentationDefinition) -> Self { + value.raw + } +} + +#[derive(Debug, Clone)] +pub struct PresentationDefinitionUri(pub Url); + +impl TypedParameter for PresentationDefinitionUri { + const KEY: &'static str = "presentation_definition_uri"; +} + +impl TryFrom for PresentationDefinitionUri { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(serde_json::from_value(value).map(Self)?) + } +} + +impl From for Json { + fn from(value: PresentationDefinitionUri) -> Self { + value.0.to_string().into() + } +} diff --git a/src/core/authorization_request/verification/did.rs b/src/core/authorization_request/verification/did.rs new file mode 100644 index 0000000..8b14607 --- /dev/null +++ b/src/core/authorization_request/verification/did.rs @@ -0,0 +1,75 @@ +use crate::core::{ + authorization_request::AuthorizationRequestObject, + metadata::{parameters::wallet::RequestObjectSigningAlgValuesSupported, WalletMetadata}, + object::ParsingErrorContext, +}; +use anyhow::{bail, Context, Result}; +use base64::prelude::*; +use serde_json::{Map, Value as Json}; +use ssi::did_resolve::{resolve_key, DIDResolver}; + +/// Default implementation of request validation for `client_id_scheme` `did`. +pub async fn verify_with_resolver( + wallet_metadata: &WalletMetadata, + request_object: &AuthorizationRequestObject, + request_jwt: String, + trusted_dids: Option<&[String]>, + resolver: &dyn DIDResolver, +) -> Result<()> { + let (headers_b64, _, _) = ssi::jws::split_jws(&request_jwt)?; + + let headers_json_bytes = BASE64_URL_SAFE_NO_PAD + .decode(headers_b64) + .context("jwt headers were not valid base64url")?; + + let mut headers = serde_json::from_slice::>(&headers_json_bytes) + .context("jwt headers were not valid json")?; + + let Json::String(alg) = headers + .remove("alg") + .context("'alg' was missing from jwt headers")? + else { + bail!("'alg' header was not a string") + }; + + let supported_algs: RequestObjectSigningAlgValuesSupported = + wallet_metadata.get().parsing_error()?; + + if !supported_algs.0.contains(&alg) { + bail!("request was signed with unsupported algorithm: {alg}") + } + + let Json::String(kid) = headers + .remove("kid") + .context("'kid' was missing from jwt headers")? + else { + bail!("'kid' header was not a string") + }; + + let client_id = request_object.client_id(); + let (did, _f) = kid.split_once('#').context(format!( + "expected a DID verification method in 'kid' header, received '{kid}'" + ))?; + + if client_id.0 != did { + bail!( + "DIDs from 'kid' ({did}) and 'client_id' ({}) do not match", + client_id.0 + ) + } + + if let Some(dids) = trusted_dids { + if !dids.iter().any(|trusted_did| trusted_did == did) { + bail!("'client_id' ({did}) is not in the list of trusted dids") + } + } + + let jwk = resolve_key(&kid, resolver) + .await + .context("unable to resolve verification method from 'kid' header")?; + + let _: Json = ssi::jwt::decode_verify(&request_jwt, &jwk) + .context("request signature could not be verified")?; + + Ok(()) +} diff --git a/src/core/authorization_request/verification/mod.rs b/src/core/authorization_request/verification/mod.rs new file mode 100644 index 0000000..5aeb4fd --- /dev/null +++ b/src/core/authorization_request/verification/mod.rs @@ -0,0 +1,180 @@ +use crate::core::{ + metadata::{ + parameters::{ + verifier::{AuthorizationEncryptedResponseAlg, AuthorizationEncryptedResponseEnc}, + wallet::{ + AuthorizationEncryptionAlgValuesSupported, + AuthorizationEncryptionEncValuesSupported, + }, + }, + WalletMetadata, + }, + object::{ParsingErrorContext, TypedParameter, UntypedObject}, + profile::{Profile, Wallet}, +}; +use anyhow::{bail, Context, Error, Result}; +use async_trait::async_trait; + +use super::{ + parameters::{ClientIdScheme, ClientMetadata, ResponseMode}, + AuthorizationRequestObject, +}; + +pub mod did; +pub mod x509_san_dns; +pub mod x509_san_uri; + +/// Verifies Authorization Request Objects. +#[async_trait] +pub trait RequestVerification { + /// Performs verification on Authorization Request Objects when `client_id_scheme` is `did`. + /// + /// See default implementation [did]. + async fn did( + &self, + decoded_request: &AuthorizationRequestObject, + request_jwt: String, + ) -> Result<(), Error>; + + /// Performs verification on Authorization Request Objects when `client_id_scheme` is `entity_id`. + async fn entity_id( + &self, + decoded_request: &AuthorizationRequestObject, + request_jwt: String, + ) -> Result<(), Error>; + + /// Performs verification on Authorization Request Objects when `client_id_scheme` is `pre-registered`. + async fn preregistered( + &self, + decoded_request: &AuthorizationRequestObject, + request_jwt: String, + ) -> Result<(), Error>; + + /// Performs verification on Authorization Request Objects when `client_id_scheme` is `redirect_uri`. + /// + /// See default implementation [redirect_uri]. + async fn redirect_uri( + &self, + decoded_request: &AuthorizationRequestObject, + request_jwt: String, + ) -> Result<(), Error>; + + /// Performs verification on Authorization Request Objects when `client_id_scheme` is `x509_san_dns`. + /// + /// See default implementation [x509_san_uri]. + async fn x509_san_dns( + &self, + decoded_request: &AuthorizationRequestObject, + request_jwt: String, + ) -> Result<(), Error>; + + /// Performs verification on Authorization Request Objects when `client_id_scheme` is `x509_san_uri`. + /// + /// See default implementation [x509_san_uri]. + async fn x509_san_uri( + &self, + decoded_request: &AuthorizationRequestObject, + request_jwt: String, + ) -> Result<(), Error>; + + /// Performs verification on Authorization Request Objects when `client_id_scheme` is any other value. + async fn other( + &self, + client_id_scheme: &str, + decoded_request: &AuthorizationRequestObject, + request_jwt: String, + ) -> Result<(), Error>; +} + +pub(crate) async fn verify_request( + profile: &WP, + jwt: String, + http_client: &reqwest::Client, +) -> Result { + let request: AuthorizationRequestObject = ssi::jwt::decode_unverified::(&jwt) + .context("unable to decode Authorization Request Object JWT")? + .try_into()?; + + validate_request_against_metadata::( + profile, + &request, + profile.wallet_metadata(), + http_client, + ) + .await?; + + let client_id_scheme = request.client_id_scheme(); + + match client_id_scheme { + ClientIdScheme::Did => profile.did(&request, jwt).await?, + ClientIdScheme::EntityId => profile.entity_id(&request, jwt).await?, + ClientIdScheme::PreRegistered => profile.preregistered(&request, jwt).await?, + ClientIdScheme::RedirectUri => profile.redirect_uri(&request, jwt).await?, + ClientIdScheme::X509SanDns => profile.x509_san_dns(&request, jwt).await?, + ClientIdScheme::X509SanUri => profile.x509_san_uri(&request, jwt).await?, + ClientIdScheme::Other(scheme) => profile.other(scheme, &request, jwt).await?, + }; + + Ok(request) +} + +pub(crate) async fn validate_request_against_metadata( + profile: &P, + request: &AuthorizationRequestObject, + wallet_metadata: &WalletMetadata, + http_client: &reqwest::Client, +) -> Result<(), Error> { + let client_id_scheme = request.client_id_scheme(); + if !wallet_metadata + .client_id_schemes_supported() + .0 + .contains(client_id_scheme) + { + bail!( + "wallet does not support client_id_scheme '{}'", + client_id_scheme + ) + } + + let client_metadata = ClientMetadata::resolve_with_http_client(request, http_client) + .await? + .0; + + let response_mode = request.get::().parsing_error()?; + + if response_mode.is_jarm()? { + let alg = client_metadata + .get::() + .parsing_error()?; + let enc = client_metadata + .get::() + .parsing_error()?; + + if let Some(supported_algs) = + wallet_metadata.get::() + { + if !supported_algs?.0.contains(&alg.0) { + bail!( + "unsupported {} '{}'", + AuthorizationEncryptedResponseAlg::KEY, + alg.0 + ) + } + } + if let Some(supported_encs) = + wallet_metadata.get::() + { + if !supported_encs?.0.contains(&enc.0) { + bail!( + "unsupported {} '{}'", + AuthorizationEncryptedResponseEnc::KEY, + enc.0 + ) + } + } + } + + profile + .validate_request(wallet_metadata, request) + .context("unable to validate request according to profile-specific checks:") +} diff --git a/src/core/authorization_request/verification/x509_san_dns.rs b/src/core/authorization_request/verification/x509_san_dns.rs new file mode 100644 index 0000000..90432db --- /dev/null +++ b/src/core/authorization_request/verification/x509_san_dns.rs @@ -0,0 +1,141 @@ +use anyhow::{bail, Context, Error, Result}; +use base64::prelude::*; +use p256::ecdsa::signature::Verifier as _; +use serde_json::{Map, Value as Json}; +use tracing::debug; +use x509_cert::{ + der::{referenced::OwnedToRef, Decode}, + ext::pkix::{name::GeneralName, SubjectAltName}, + spki::SubjectPublicKeyInfoRef, + Certificate, +}; + +use crate::core::{ + authorization_request::AuthorizationRequestObject, + metadata::{parameters::wallet::RequestObjectSigningAlgValuesSupported, WalletMetadata}, + object::ParsingErrorContext, +}; + +/// Default implementation of request validation for `client_id_scheme` `x509_san_dns`. +pub fn validate( + wallet_metadata: &WalletMetadata, + request_object: &AuthorizationRequestObject, + request_jwt: String, + trusted_roots: Option<&[Certificate]>, +) -> Result<()> { + let client_id = request_object.client_id().0.as_str(); + let (headers_b64, body_b64, sig_b64) = ssi::jws::split_jws(&request_jwt)?; + + let headers_json_bytes = BASE64_URL_SAFE_NO_PAD + .decode(headers_b64) + .context("jwt headers were not valid base64url")?; + + let mut headers = serde_json::from_slice::>(&headers_json_bytes) + .context("jwt headers were not valid json")?; + + let Json::String(alg) = headers + .remove("alg") + .context("'alg' was missing from jwt headers")? + else { + bail!("'alg' header was not a string") + }; + + let supported_algs: RequestObjectSigningAlgValuesSupported = + wallet_metadata.get().parsing_error()?; + + if !supported_algs.0.contains(&alg) { + bail!("request was signed with unsupported algorithm: {alg}") + } + + let Json::Array(x5chain) = headers + .remove("x5c") + .context("'x5c' was missing from jwt headers")? + else { + bail!("'x5c' header was not an array") + }; + + let Json::String(b64_x509) = x5chain.get(0).context("'x5c' was an empty array")? else { + bail!("'x5c' header was not an array of strings"); + }; + + let leaf_cert_der = BASE64_STANDARD_NO_PAD + .decode(b64_x509.trim_end_matches('=')) + .context("leaf certificate in 'x5c' was not valid base64")?; + + let leaf_cert = Certificate::from_der(&leaf_cert_der) + .context("leaf certificate in 'x5c' was not valid DER")?; + + if !leaf_cert + .tbs_certificate + .filter::() + .filter_map(|r| match r { + Ok((_crit, san)) => Some(san.0.into_iter()), + Err(e) => { + debug!("unable to parse SubjectAlternativeName from DER: {e}"); + None + } + }) + .flatten() + .filter_map(|gn| match gn { + GeneralName::DnsName(dns) => Some(dns.to_string()), + _ => { + debug!("found non-URI SAN: {gn:?}"); + None + } + }) + .any(|uri| uri == client_id) + { + bail!("client_id does not match any Subject Alternative Name") + } + + if let Some(_trusted_roots) = trusted_roots { + // TODO: Verify chain to root. + } + + let verifier = V::from_spki( + leaf_cert + .tbs_certificate + .subject_public_key_info + .owned_to_ref(), + alg, + ) + .context("unable to parse SPKI")?; + + let payload = [headers_b64.as_bytes(), b".", body_b64.as_bytes()].concat(); + let signature = BASE64_URL_SAFE_NO_PAD + .decode(sig_b64) + .context("could not decode base64url encoded jwt signature")?; + + verifier + .verify(&payload, &signature) + .context("request signature could not be verified")?; + + Ok(()) +} + +pub trait Verifier: Sized { + /// Construct a [Verifier] from [SubjectPublicKeyInfoRef]. + /// + /// ## Params + /// * `spki` - the public key information necessary to construct a [Verifier]. + /// * `algorithm` - the value taken from the `alg` header of the request, to hint at what curve should be used by the [Verifier]. + fn from_spki(spki: SubjectPublicKeyInfoRef<'_>, algorithm: String) -> Result; + fn verify(&self, payload: &[u8], signature: &[u8]) -> Result<()>; +} + +#[derive(Debug, Clone)] +pub struct P256Verifier(p256::ecdsa::VerifyingKey); + +impl Verifier for P256Verifier { + fn from_spki(spki: SubjectPublicKeyInfoRef<'_>, algorithm: String) -> Result { + if algorithm != "ES256" { + bail!("P256Verifier cannot verify requests signed with '{algorithm}'") + } + spki.try_into().map(Self).map_err(Error::from) + } + + fn verify(&self, payload: &[u8], signature: &[u8]) -> Result<()> { + let signature = p256::ecdsa::Signature::from_slice(signature)?; + self.0.verify(payload, &signature).map_err(Error::from) + } +} diff --git a/src/core/authorization_request/verification/x509_san_uri.rs b/src/core/authorization_request/verification/x509_san_uri.rs new file mode 100644 index 0000000..1c61833 --- /dev/null +++ b/src/core/authorization_request/verification/x509_san_uri.rs @@ -0,0 +1,155 @@ +use anyhow::{bail, Context, Error, Result}; +use base64::prelude::*; +use p256::ecdsa::signature::Verifier as _; +use serde_json::{Map, Value as Json}; +use tracing::{debug, warn}; +use x509_cert::{ + der::{referenced::OwnedToRef, Decode}, + ext::pkix::{name::GeneralName, SubjectAltName}, + spki::SubjectPublicKeyInfoRef, + Certificate, +}; + +use crate::core::{ + authorization_request::AuthorizationRequestObject, + metadata::{parameters::wallet::RequestObjectSigningAlgValuesSupported, WalletMetadata}, + object::ParsingErrorContext, +}; + +/// Default implementation of request validation for `client_id_scheme` `x509_san_uri`. +pub fn validate( + wallet_metadata: &WalletMetadata, + request_object: &AuthorizationRequestObject, + request_jwt: String, + trusted_roots: Option<&[Certificate]>, +) -> Result<()> { + let client_id = request_object.client_id().0.as_str(); + let (headers_b64, body_b64, sig_b64) = ssi::jws::split_jws(&request_jwt)?; + + let headers_json_bytes = BASE64_URL_SAFE_NO_PAD + .decode(headers_b64) + .context("jwt headers were not valid base64url")?; + + let mut headers = serde_json::from_slice::>(&headers_json_bytes) + .context("jwt headers were not valid json")?; + + let Json::String(alg) = headers + .remove("alg") + .context("'alg' was missing from jwt headers")? + else { + bail!("'alg' header was not a string") + }; + + let supported_algs: RequestObjectSigningAlgValuesSupported = + wallet_metadata.get().parsing_error()?; + + if !supported_algs.0.contains(&alg) { + bail!("request was signed with unsupported algorithm: {alg}") + } + + let Json::Array(x5chain) = headers + .remove("x5c") + .context("'x5c' was missing from jwt headers")? + else { + bail!("'x5c' header was not an array") + }; + + let Json::String(b64_x509) = x5chain.get(0).context("'x5c' was an empty array")? else { + bail!("'x5c' header was not an array of strings"); + }; + + let leaf_cert_der = BASE64_STANDARD_NO_PAD + .decode(b64_x509.trim_end_matches('=')) + .context("leaf certificate in 'x5c' was not valid base64")?; + + let leaf_cert = Certificate::from_der(&leaf_cert_der) + .context("leaf certificate in 'x5c' was not valid DER")?; + + // NOTE: Fallback to common name is removed in latest drafts of OID4VP. + if leaf_cert.tbs_certificate.get::() == Ok(None) { + warn!("x509 certificate does not contain Subject Alternative Name, falling back to Common Name"); + if !leaf_cert + .tbs_certificate + .subject + .0 + .iter() + .flat_map(|n| n.0.iter()) + .filter_map(|n| n.to_string().strip_prefix("CN=").map(ToOwned::to_owned)) + .any(|cn| cn == client_id) + { + bail!("client_id does not match Common Name and x509 certificate does not contain Subject Alternative Name") + } + } else if !leaf_cert + .tbs_certificate + .filter::() + .filter_map(|r| match r { + Ok((_crit, san)) => Some(san.0.into_iter()), + Err(e) => { + debug!("unable to parse SubjectAlternativeName from DER: {e}"); + None + } + }) + .flatten() + .filter_map(|gn| match gn { + GeneralName::UniformResourceIdentifier(uri) => Some(uri.to_string()), + _ => { + debug!("found non-URI SAN: {gn:?}"); + None + } + }) + .any(|uri| uri == client_id) + { + bail!("client_id does not match any Subject Alternative Name") + } + + if let Some(_trusted_roots) = trusted_roots { + // TODO: Verify chain to root. + } + + let verifier = V::from_spki( + leaf_cert + .tbs_certificate + .subject_public_key_info + .owned_to_ref(), + alg, + ) + .context("unable to parse SPKI")?; + + let payload = [headers_b64.as_bytes(), b".", body_b64.as_bytes()].concat(); + let signature = BASE64_URL_SAFE_NO_PAD + .decode(sig_b64) + .context("could not decode base64url encoded jwt signature")?; + + verifier + .verify(&payload, &signature) + .context("request signature could not be verified")?; + + Ok(()) +} + +pub trait Verifier: Sized { + /// Construct a [Verifier] from [SubjectPublicKeyInfoRef]. + /// + /// ## Params + /// * `spki` - the public key information necessary to construct a [Verifier]. + /// * `algorithm` - the value taken from the `alg` header of the request, to hint at what curve should be used by the [Verifier]. + fn from_spki(spki: SubjectPublicKeyInfoRef<'_>, algorithm: String) -> Result; + fn verify(&self, payload: &[u8], signature: &[u8]) -> Result<()>; +} + +#[derive(Debug, Clone)] +pub struct P256Verifier(p256::ecdsa::VerifyingKey); + +impl Verifier for P256Verifier { + fn from_spki(spki: SubjectPublicKeyInfoRef<'_>, algorithm: String) -> Result { + if algorithm != "ES256" { + bail!("P256Verifier cannot verify requests signed with '{algorithm}'") + } + spki.try_into().map(Self).map_err(Error::from) + } + + fn verify(&self, payload: &[u8], signature: &[u8]) -> Result<()> { + let signature = p256::ecdsa::Signature::from_slice(signature)?; + self.0.verify(payload, &signature).map_err(Error::from) + } +} diff --git a/src/core/credential_format/mod.rs b/src/core/credential_format/mod.rs new file mode 100644 index 0000000..863258e --- /dev/null +++ b/src/core/credential_format/mod.rs @@ -0,0 +1,17 @@ +/// A credential format that can be transmitted using OID4VP. +pub trait CredentialFormat { + /// The ID of the credential format. + const ID: &'static str; +} + +pub struct MsoMdoc; + +impl CredentialFormat for MsoMdoc { + const ID: &'static str = "mso_mdoc"; +} + +pub struct JwtVc; + +impl CredentialFormat for JwtVc { + const ID: &'static str = "jwt_vc"; +} diff --git a/src/core/metadata/mod.rs b/src/core/metadata/mod.rs new file mode 100644 index 0000000..fc63b6b --- /dev/null +++ b/src/core/metadata/mod.rs @@ -0,0 +1,89 @@ +use std::ops::{Deref, DerefMut}; + +use anyhow::Error; +use serde::{Deserialize, Serialize}; + +use self::parameters::wallet::{ + AuthorizationEndpoint, ClientIdSchemesSupported, VpFormatsSupported, +}; + +use super::object::{ParsingErrorContext, UntypedObject}; + +pub mod parameters; + +#[derive(Debug, Clone, Serialize, Deserialize)] +#[serde(try_from = "UntypedObject", into = "UntypedObject")] +pub struct WalletMetadata( + UntypedObject, + AuthorizationEndpoint, + VpFormatsSupported, + ClientIdSchemesSupported, +); + +impl WalletMetadata { + pub fn new( + authorization_endpoint: AuthorizationEndpoint, + vp_formats_supported: VpFormatsSupported, + client_id_schemes_supported: Option, + other: Option, + ) -> Self { + Self( + other.unwrap_or_default(), + authorization_endpoint, + vp_formats_supported, + client_id_schemes_supported.unwrap_or_default(), + ) + } + + pub fn authorization_endpoint(&self) -> &AuthorizationEndpoint { + &self.1 + } + + pub fn vp_formats_supported(&self) -> &VpFormatsSupported { + &self.2 + } + + pub fn client_id_schemes_supported(&self) -> &ClientIdSchemesSupported { + &self.3 + } +} + +impl From for UntypedObject { + fn from(value: WalletMetadata) -> Self { + let mut inner = value.0; + inner.insert(value.1); + inner.insert(value.2); + inner.insert(value.3); + inner + } +} + +impl TryFrom for WalletMetadata { + type Error = Error; + + fn try_from(value: UntypedObject) -> Result { + let authorization_endpoint = value.get().parsing_error()?; + let vp_formats_supported = value.get().parsing_error()?; + let client_id_schemes_supported = value.get_or_default().parsing_error()?; + Ok(Self( + value, + authorization_endpoint, + vp_formats_supported, + client_id_schemes_supported, + )) + } +} + +impl Deref for WalletMetadata { + type Target = UntypedObject; + + fn deref(&self) -> &Self::Target { + &self.0 + } +} + +impl DerefMut for WalletMetadata { + fn deref_mut(&mut self) -> &mut Self::Target { + &mut self.0 + } +} diff --git a/src/core/metadata/parameters/mod.rs b/src/core/metadata/parameters/mod.rs new file mode 100644 index 0000000..8aeb810 --- /dev/null +++ b/src/core/metadata/parameters/mod.rs @@ -0,0 +1,4 @@ +/// Metadata supplied by the verifier, also known as the Client Metadata. +pub mod verifier; +/// Metadata supplied by the wallet, also known as the Authorization Server Metadata. +pub mod wallet; diff --git a/src/core/metadata/parameters/verifier.rs b/src/core/metadata/parameters/verifier.rs new file mode 100644 index 0000000..3681521 --- /dev/null +++ b/src/core/metadata/parameters/verifier.rs @@ -0,0 +1,196 @@ +use anyhow::Error; +use serde::Deserialize; +use serde_json::{Map, Value as Json}; + +use crate::core::object::TypedParameter; + +#[derive(Debug, Clone, Deserialize)] +pub struct VpFormats(pub Map); + +impl TypedParameter for VpFormats { + const KEY: &'static str = "vp_formats"; +} + +impl TryFrom for VpFormats { + type Error = Error; + + fn try_from(value: Json) -> Result { + serde_json::from_value(value).map(Self).map_err(Into::into) + } +} + +impl From for Json { + fn from(value: VpFormats) -> Json { + value.0.into() + } +} + +#[derive(Debug, Clone, Deserialize)] +pub struct JWKs { + pub keys: Vec>, +} + +impl TypedParameter for JWKs { + const KEY: &'static str = "jwks"; +} + +impl TryFrom for JWKs { + type Error = Error; + + fn try_from(value: Json) -> Result { + serde_json::from_value(value).map_err(Into::into) + } +} + +impl From for Json { + fn from(value: JWKs) -> Json { + let keys = value.keys.into_iter().map(Json::Object).collect(); + let mut obj = Map::default(); + obj.insert("keys".into(), Json::Array(keys)); + obj.into() + } +} + +#[derive(Debug, Clone)] +pub struct RequireSignedRequestObject(pub bool); + +impl TypedParameter for RequireSignedRequestObject { + const KEY: &'static str = "require_signed_request_object"; +} + +impl TryFrom for RequireSignedRequestObject { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: RequireSignedRequestObject) -> Json { + Json::Bool(value.0) + } +} + +#[derive(Debug, Clone)] +pub struct AuthorizationEncryptedResponseAlg(pub String); + +impl TypedParameter for AuthorizationEncryptedResponseAlg { + const KEY: &'static str = "authorization_encrypted_response_alg"; +} + +impl TryFrom for AuthorizationEncryptedResponseAlg { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: AuthorizationEncryptedResponseAlg) -> Json { + Json::String(value.0) + } +} + +#[derive(Debug, Clone)] +pub struct AuthorizationEncryptedResponseEnc(pub String); + +impl TypedParameter for AuthorizationEncryptedResponseEnc { + const KEY: &'static str = "authorization_encrypted_response_enc"; +} + +impl TryFrom for AuthorizationEncryptedResponseEnc { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: AuthorizationEncryptedResponseEnc) -> Json { + Json::String(value.0) + } +} + +#[cfg(test)] +mod test { + use serde_json::json; + + use crate::core::object::UntypedObject; + + use super::*; + + fn metadata() -> UntypedObject { + serde_json::from_value(json!( + { + "jwks":{ + "keys":[ + { + "kty":"EC", + "crv":"P-256", + "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4", + "y":"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM", + "use":"enc", + "kid":"1" + } + ] + }, + "authorization_encrypted_response_alg":"ECDH-ES", + "authorization_encrypted_response_enc":"A256GCM", + "require_signed_request_object":true, + "vp_formats":{ "mso_mdoc":{} } + } + )) + .unwrap() + } + + #[test] + fn vp_formats() { + let VpFormats(fnd) = metadata().get().unwrap().unwrap(); + let exp = json!({"mso_mdoc": {}}).as_object().unwrap().clone(); + assert_eq!(fnd, exp) + } + + #[test] + fn jwks() { + let JWKs { keys } = metadata().get().unwrap().unwrap(); + assert_eq!(keys.len(), 1); + + let jwk = &keys[0]; + assert_eq!(jwk.get("kty").unwrap(), "EC"); + assert_eq!(jwk.get("crv").unwrap(), "P-256"); + assert_eq!( + jwk.get("x").unwrap(), + "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4" + ); + assert_eq!( + jwk.get("y").unwrap(), + "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM" + ); + assert_eq!(jwk.get("use").unwrap(), "enc"); + assert_eq!(jwk.get("kid").unwrap(), "1"); + } + + #[test] + fn require_signed_request_object() { + let exp = true; + let RequireSignedRequestObject(b) = metadata().get().unwrap().unwrap(); + assert_eq!(b, exp); + } + + #[test] + fn authorization_encrypted_response_alg() { + let exp = "ECDH-ES"; + let AuthorizationEncryptedResponseAlg(s) = metadata().get().unwrap().unwrap(); + assert_eq!(s, exp); + } + + #[test] + fn authorization_encrypted_response_enc() { + let exp = "A256GCM"; + let AuthorizationEncryptedResponseEnc(s) = metadata().get().unwrap().unwrap(); + assert_eq!(s, exp); + } +} diff --git a/src/core/metadata/parameters/wallet.rs b/src/core/metadata/parameters/wallet.rs new file mode 100644 index 0000000..27ef948 --- /dev/null +++ b/src/core/metadata/parameters/wallet.rs @@ -0,0 +1,300 @@ +use crate::core::{ + authorization_request::parameters::{ClientIdScheme, ResponseType}, + object::TypedParameter, +}; +use anyhow::{bail, Error, Result}; +use serde_json::{Map, Value as Json}; +use url::Url; + +#[derive(Debug, Clone)] +pub struct Issuer(pub String); + +impl TypedParameter for Issuer { + const KEY: &'static str = "issuer"; +} + +impl TryFrom for Issuer { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: Issuer) -> Json { + Json::String(value.0) + } +} + +#[derive(Debug, Clone)] +pub struct AuthorizationEndpoint(pub Url); + +impl TypedParameter for AuthorizationEndpoint { + const KEY: &'static str = "authorization_endpoint"; +} + +impl TryFrom for AuthorizationEndpoint { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: AuthorizationEndpoint) -> Json { + Json::String(value.0.to_string()) + } +} + +#[derive(Debug, Clone)] +pub struct ResponseTypesSupported(pub Vec); + +impl TypedParameter for ResponseTypesSupported { + const KEY: &'static str = "response_types_supported"; +} + +impl TryFrom for ResponseTypesSupported { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: ResponseTypesSupported) -> Json { + Json::Array( + value + .0 + .iter() + .cloned() + .map(String::from) + .map(Json::from) + .collect(), + ) + } +} + +// TODO: Client ID scheme types? +#[derive(Debug, Clone)] +pub struct ClientIdSchemesSupported(pub Vec); + +impl TypedParameter for ClientIdSchemesSupported { + const KEY: &'static str = "client_id_schemes_supported"; +} + +impl TryFrom for ClientIdSchemesSupported { + type Error = Error; + + fn try_from(value: Json) -> Result { + let Json::Array(xs) = value else { + bail!("expected JSON array") + }; + xs.into_iter() + .map(Json::try_into) + .collect::>>() + .map(Self) + } +} + +impl From for Json { + fn from(value: ClientIdSchemesSupported) -> Json { + Json::Array(value.0.into_iter().map(Json::from).collect()) + } +} + +impl Default for ClientIdSchemesSupported { + fn default() -> Self { + Self(vec![ClientIdScheme::PreRegistered]) + } +} + +#[derive(Debug, Clone)] +pub struct RequestObjectSigningAlgValuesSupported(pub Vec); + +impl TypedParameter for RequestObjectSigningAlgValuesSupported { + const KEY: &'static str = "request_object_signing_alg_values_supported"; +} + +impl TryFrom for RequestObjectSigningAlgValuesSupported { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: RequestObjectSigningAlgValuesSupported) -> Json { + Json::Array(value.0.into_iter().map(Json::from).collect()) + } +} + +// TODO: Better types +#[derive(Debug, Clone)] +pub struct VpFormatsSupported(pub Map); + +impl TypedParameter for VpFormatsSupported { + const KEY: &'static str = "vp_formats_supported"; +} + +impl TryFrom for VpFormatsSupported { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: VpFormatsSupported) -> Json { + Json::Object(value.0) + } +} + +#[derive(Debug, Clone)] +pub struct AuthorizationEncryptionAlgValuesSupported(pub Vec); + +impl TypedParameter for AuthorizationEncryptionAlgValuesSupported { + const KEY: &'static str = "authorization_encryption_alg_values_supported"; +} + +impl TryFrom for AuthorizationEncryptionAlgValuesSupported { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: AuthorizationEncryptionAlgValuesSupported) -> Json { + Json::Array(value.0.into_iter().map(Json::from).collect()) + } +} + +#[derive(Debug, Clone)] +pub struct AuthorizationEncryptionEncValuesSupported(pub Vec); + +impl TypedParameter for AuthorizationEncryptionEncValuesSupported { + const KEY: &'static str = "authorization_encryption_enc_values_supported"; +} + +impl TryFrom for AuthorizationEncryptionEncValuesSupported { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(serde_json::from_value(value)?)) + } +} + +impl From for Json { + fn from(value: AuthorizationEncryptionEncValuesSupported) -> Json { + Json::Array(value.0.into_iter().map(Json::from).collect()) + } +} + +#[cfg(test)] +mod test { + use serde_json::json; + + use crate::core::object::UntypedObject; + + use super::*; + + fn metadata() -> UntypedObject { + serde_json::from_value(json!({ + "issuer": "https://self-issued.me/v2", + "authorization_endpoint": "mdoc-openid4vp://", + "response_types_supported": [ + "vp_token" + ], + "vp_formats_supported": + { + "mso_mdoc": { + } + }, + "client_id_schemes_supported": [ + "redirect_uri", + "x509_san_uri" + ], + "request_object_signing_alg_values_supported": [ + "ES256" + ], + "authorization_encryption_alg_values_supported": [ + "ECDH-ES" + ], + "authorization_encryption_enc_values_supported": [ + "A256GCM" + ] + } + )) + .unwrap() + } + + #[test] + fn issuer() { + let exp = "https://self-issued.me/v2"; + let Issuer(s) = metadata().get().unwrap().unwrap(); + assert_eq!(s, exp); + } + + #[test] + fn authorization_endpoint() { + let exp = "mdoc-openid4vp://".parse().unwrap(); + let AuthorizationEndpoint(s) = metadata().get().unwrap().unwrap(); + assert_eq!(s, exp); + } + + #[test] + fn response_types_supported() { + let exp = vec![ResponseType::VpToken]; + let ResponseTypesSupported(v) = metadata().get().unwrap().unwrap(); + assert!(exp.iter().all(|x| v.contains(x))); + assert!(v.iter().all(|x| exp.contains(x))); + } + + #[test] + fn client_id_schemes_supported() { + let exp = vec![ClientIdScheme::RedirectUri, ClientIdScheme::X509SanUri]; + let ClientIdSchemesSupported(v) = metadata().get().unwrap().unwrap(); + assert!(exp.iter().all(|x| v.contains(x))); + assert!(v.iter().all(|x| exp.contains(x))); + } + + #[test] + fn request_object_signing_alg_values_supported() { + let exp = vec!["ES256".to_string()]; + let RequestObjectSigningAlgValuesSupported(v) = metadata().get().unwrap().unwrap(); + assert!(exp.iter().all(|x| v.contains(x))); + assert!(v.iter().all(|x| exp.contains(x))); + } + + #[test] + fn vp_formats_supported() { + let VpFormatsSupported(mut m) = metadata().get().unwrap().unwrap(); + assert_eq!(m.len(), 1); + assert_eq!( + m.remove("mso_mdoc").unwrap(), + Json::Object(Default::default()) + ); + } + + #[test] + fn authorization_encryption_alg_values_supported() { + let exp = vec!["ECDH-ES".to_string()]; + let AuthorizationEncryptionAlgValuesSupported(v) = metadata().get().unwrap().unwrap(); + assert!(exp.iter().all(|x| v.contains(x))); + assert!(v.iter().all(|x| exp.contains(x))); + } + + #[test] + fn authorization_encryption_enc_values_supported() { + let exp = vec!["A256GCM".to_string()]; + let AuthorizationEncryptionEncValuesSupported(v) = metadata().get().unwrap().unwrap(); + assert!(exp.iter().all(|x| v.contains(x))); + assert!(v.iter().all(|x| exp.contains(x))); + } +} diff --git a/src/core/mod.rs b/src/core/mod.rs new file mode 100644 index 0000000..5b5ccda --- /dev/null +++ b/src/core/mod.rs @@ -0,0 +1,9 @@ +pub mod authorization_request; +pub mod credential_format; +pub mod metadata; +pub mod object; +pub mod profile; +pub mod response; +pub(crate) mod util; +pub mod verifier; +pub mod wallet; diff --git a/src/core/object/mod.rs b/src/core/object/mod.rs new file mode 100644 index 0000000..0d7de33 --- /dev/null +++ b/src/core/object/mod.rs @@ -0,0 +1,105 @@ +use std::collections::HashMap; + +use anyhow::{Context, Error, Result}; +use serde::{Deserialize, Serialize}; +use serde_json::{Map, Value as Json}; + +/// An untyped (JSON) Object from which [TypedParameters](TypedParameter) can be parsed. +/// +/// Can represent metadata or request objects. +#[derive(Debug, Clone, Serialize, Deserialize, Default)] +pub struct UntypedObject(pub(crate) Map); + +// TODO: Replace anyhow error type. +/// A strongly typed parameter that can represent metadata entries or request parameters. +pub trait TypedParameter: + TryFrom + Into + Clone + std::fmt::Debug +{ + const KEY: &'static str; +} + +impl UntypedObject { + /// Get a [TypedParameter] from the Object or return the default value. + /// + /// Note that this method clones the underlying data. + pub fn get_or_default(&self) -> Result { + Ok(self + .0 + .get(T::KEY) + .cloned() + .map(TryInto::try_into) + .transpose()? + .unwrap_or_default()) + } + + /// Get a [TypedParameter] from the Object. + /// + /// Note that this method clones the underlying data. + pub fn get(&self) -> Option> { + Some(self.0.get(T::KEY)?.clone().try_into().map_err(Into::into)) + } + + /// Remove a [TypedParameter] from the Object. + pub fn remove(&mut self) -> Option> { + Some(self.0.remove(T::KEY)?.try_into().map_err(Into::into)) + } + + /// Insert a [TypedParameter]. + /// + /// Returns the existing [TypedParameter] if one already exists. + /// + /// # Errors + /// Returns an error if there was already an entry in the Object, but it could not be parsed from JSON. + pub fn insert(&mut self, t: T) -> Option> { + Some( + self.0 + .insert(T::KEY.to_owned(), t.into())? + .try_into() + .map_err(Into::into), + ) + } + + /// Flatten the structure for posting as a form. + pub(crate) fn flatten_for_form(self) -> Result> { + self.0 + .into_iter() + .map(|(k, v)| { + if let Json::String(s) = v { + return Ok((k, s)); + } + serde_json::to_string(&v) + .map(|v| (k, v)) + .map_err(Error::from) + }) + .collect() + } +} + +impl From for Json { + fn from(value: UntypedObject) -> Self { + value.0.into() + } +} + +pub trait ParsingErrorContext { + type T: TypedParameter; + + fn parsing_error(self) -> Result; +} + +impl ParsingErrorContext for Option> { + type T = T; + + fn parsing_error(self) -> Result { + self.context(format!("'{}' is missing", T::KEY))? + .context(format!("'{}' could not be parsed", T::KEY)) + } +} + +impl ParsingErrorContext for Result { + type T = T; + + fn parsing_error(self) -> Result { + self.context(format!("'{}' could not be parsed", T::KEY)) + } +} diff --git a/src/core/profile/mod.rs b/src/core/profile/mod.rs new file mode 100644 index 0000000..e471786 --- /dev/null +++ b/src/core/profile/mod.rs @@ -0,0 +1,123 @@ +use anyhow::{bail, Context, Error}; +use async_trait::async_trait; +use tracing::warn; +use url::Url; + +use super::{ + authorization_request::{ + parameters::{PresentationDefinition, ResponseMode}, + verification::RequestVerification, + AuthorizationRequest, AuthorizationRequestObject, + }, + credential_format::CredentialFormat, + metadata::WalletMetadata, + response::{AuthorizationResponse, PostRedirection}, + util::default_http_client, +}; + +/// A specific profile of OID4VP. +pub trait Profile { + /// Credential Format used in this profile. + type CredentialFormat: CredentialFormat; + + /// Perform additional profile-specific checks on outbound and inbound requests. + fn validate_request( + &self, + wallet_metadata: &WalletMetadata, + request_object: &AuthorizationRequestObject, + ) -> Result<(), Error>; +} + +pub trait Verifier: Profile { + /// Builder for profile-specific [PresentationDefinition]. + type PresentationBuilder: PresentationBuilder; +} + +pub trait PresentationBuilder: Default { + fn build(self) -> Result; +} + +#[async_trait] +pub trait Wallet: Profile + RequestVerification + Sync { + type PresentationHandler: PresentationHandler; + + fn wallet_metadata(&self) -> &WalletMetadata; + + async fn to_handler( + &self, + request_object: &AuthorizationRequestObject, + ) -> Result; + + async fn handle_request_with_http_client( + &self, + url: Url, + http_client: &reqwest::Client, + ) -> Result { + let ar = + AuthorizationRequest::from_url(url, &self.wallet_metadata().authorization_endpoint().0) + .context("unable to parse authorization request")?; + let aro = ar + .validate_with_http_client(self, http_client) + .await + .context("unable to validate authorization request")?; + self.to_handler(&aro).await + } + + /// Uses library default http client. + async fn handle_request(&self, url: Url) -> Result { + self.handle_request_with_http_client(url, &default_http_client()?) + .await + } + + async fn submit_response_with_http_client( + &self, + handler: Self::PresentationHandler, + http_client: reqwest::Client, + ) -> Result, Error> { + let aro = handler.request().clone(); + let response_object = handler.to_response()?; + let return_uri = aro.return_uri(); + match aro.response_mode() { + ResponseMode::DirectPost => { + let body = response_object + .serializable() + .flatten_for_form() + .context("unable to flatten authorization response")?; + let response = http_client + .post(return_uri.clone()) + .form(&body) + .send() + .await + .context("failed to post authorization response")?; + + let status = response.status(); + let text = response.text().await.context("text")?; + + if !status.is_success() { + bail!("error submitting authorization response ({status}): {text}") + } + + Ok(serde_json::from_str(&text) + .map_err(|e| warn!("response did not contain a redirect: {e}")) + .ok() + .map(|PostRedirection { redirect_uri }| redirect_uri)) + } + ResponseMode::DirectPostJwt => todo!(), + ResponseMode::Unsupported(rm) => bail!("unsupported response_mode {rm}"), + } + } + + /// Uses library default http client. + async fn submit_response( + &self, + handler: Self::PresentationHandler, + ) -> Result, Error> { + self.submit_response_with_http_client(handler, default_http_client()?) + .await + } +} + +pub trait PresentationHandler: Send { + fn request(&self) -> &AuthorizationRequestObject; + fn to_response(self) -> Result; +} diff --git a/src/core/response/mod.rs b/src/core/response/mod.rs new file mode 100644 index 0000000..1e25eda --- /dev/null +++ b/src/core/response/mod.rs @@ -0,0 +1,37 @@ +use anyhow::Error; +use serde::{Deserialize, Serialize}; +use url::Url; + +use self::parameters::{PresentationSubmission, VpToken}; + +use super::object::{ParsingErrorContext, UntypedObject}; + +pub mod parameters; + +#[derive(Debug, Clone)] +pub struct AuthorizationResponse(UntypedObject, VpToken, PresentationSubmission); + +impl AuthorizationResponse { + pub fn as_query(self) -> Result { + Ok(serde_urlencoded::to_string(self.0)?) + } + + pub fn serializable(self) -> UntypedObject { + self.0 + } +} + +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct PostRedirection { + pub redirect_uri: Url, +} + +impl TryFrom for AuthorizationResponse { + type Error = Error; + + fn try_from(value: UntypedObject) -> Result { + let vp_token = value.get().parsing_error()?; + let presentation_submission = value.get().parsing_error()?; + Ok(Self(value, vp_token, presentation_submission)) + } +} diff --git a/src/core/response/parameters.rs b/src/core/response/parameters.rs new file mode 100644 index 0000000..3a0411c --- /dev/null +++ b/src/core/response/parameters.rs @@ -0,0 +1,69 @@ +use anyhow::Error; +use serde_json::Value as Json; + +pub use crate::core::authorization_request::parameters::State; +use crate::core::object::TypedParameter; + +#[derive(Debug, Clone)] +pub struct IdToken(pub String); + +impl TypedParameter for IdToken { + const KEY: &'static str = "id_token"; +} + +impl TryFrom for IdToken { + type Error = Error; + + fn try_from(value: Json) -> Result { + serde_json::from_value(value).map(Self).map_err(Into::into) + } +} + +impl From for Json { + fn from(value: IdToken) -> Self { + value.0.into() + } +} + +#[derive(Debug, Clone)] +pub struct VpToken(pub String); + +impl TypedParameter for VpToken { + const KEY: &'static str = "vp_token"; +} + +impl TryFrom for VpToken { + type Error = Error; + + fn try_from(value: Json) -> Result { + serde_json::from_value(value).map(Self).map_err(Into::into) + } +} + +impl From for Json { + fn from(value: VpToken) -> Self { + value.0.into() + } +} + +// TODO: Better type. +#[derive(Debug, Clone)] +pub struct PresentationSubmission(pub Json); + +impl TypedParameter for PresentationSubmission { + const KEY: &'static str = "presentation_submission"; +} + +impl TryFrom for PresentationSubmission { + type Error = Error; + + fn try_from(value: Json) -> Result { + Ok(Self(value)) + } +} + +impl From for Json { + fn from(value: PresentationSubmission) -> Self { + value.0 + } +} diff --git a/src/core/util/mod.rs b/src/core/util/mod.rs new file mode 100644 index 0000000..78968f3 --- /dev/null +++ b/src/core/util/mod.rs @@ -0,0 +1,18 @@ +use anyhow::{Context, Error}; +use reqwest::header::HeaderMap; + +pub fn default_http_client() -> Result { + let mut headers: HeaderMap = Default::default(); + headers.insert( + "Prefer", + "OID4VP-0.0.20" + .parse() + .context("unable to parse Prefer header value")?, + ); + + reqwest::Client::builder() + .default_headers(headers) + .use_rustls_tls() + .build() + .context("unable to build http_client") +} diff --git a/src/core/verifier/builder/by_reference.rs b/src/core/verifier/builder/by_reference.rs new file mode 100644 index 0000000..9131408 --- /dev/null +++ b/src/core/verifier/builder/by_reference.rs @@ -0,0 +1,10 @@ +use url::Url; + +#[derive(Debug, Clone, Default)] +pub enum ByReference { + #[default] + False, + True { + at: Url, + }, +} diff --git a/src/core/verifier/builder/client.rs b/src/core/verifier/builder/client.rs new file mode 100644 index 0000000..562f4ea --- /dev/null +++ b/src/core/verifier/builder/client.rs @@ -0,0 +1,89 @@ +use anyhow::Result; +use base64::prelude::*; +use serde_json::{json, Value as Json}; +use x509_cert::{der::Encode, Certificate}; + +use crate::core::{ + authorization_request::{ + parameters::{ClientId, ClientIdScheme}, + AuthorizationRequestObject, + }, + verifier::request_signer::RequestSigner, +}; + +#[derive(Debug, Clone)] +pub(crate) enum Client { + Did { + id: ClientId, + vm: String, + signer: S, + }, + X509SanUri { + id: ClientId, + x5c: Vec, + signer: S, + }, +} + +impl Client { + pub fn id(&self) -> &ClientId { + match self { + Client::Did { id, .. } => id, + Client::X509SanUri { id, .. } => id, + } + } + + pub fn scheme(&self) -> &ClientIdScheme { + match self { + Client::Did { .. } => &ClientIdScheme::Did, + Client::X509SanUri { .. } => &ClientIdScheme::X509SanUri, + } + } + + pub async fn generate_request_object_jwt( + &self, + body: &AuthorizationRequestObject, + ) -> Result { + match self { + Client::Did { + vm: kid, signer, .. + } => { + let algorithm = signer.alg(); + let header = json!({ + "alg": algorithm, + "kid": kid, + "typ": "JWT" + }); + make_jwt(header, body, signer).await + } + Client::X509SanUri { x5c, signer, .. } => { + let algorithm = signer.alg(); + let x5c: Vec = x5c + .iter() + .map(|x509| x509.to_der()) + .map(|der| Ok(BASE64_STANDARD.encode(der?))) + .collect::>()?; + let header = json!({ + "alg": algorithm, + "x5c": x5c, + "typ": "JWT" + }); + make_jwt(header, body, signer).await + } + } + } +} + +async fn make_jwt( + header: Json, + body: &AuthorizationRequestObject, + signer: &S, +) -> Result { + let header_b64: String = + serde_json::to_vec(&header).map(|b| BASE64_URL_SAFE_NO_PAD.encode(b))?; + let body_b64 = serde_json::to_vec(body).map(|b| BASE64_URL_SAFE_NO_PAD.encode(b))?; + let payload = [header_b64.as_bytes(), b".", body_b64.as_bytes()].concat(); + let signature = signer.sign(&payload).await; + let signature_b64 = BASE64_URL_SAFE_NO_PAD.encode(signature); + Ok(format!("{header_b64}.{body_b64}.{signature_b64}")) +} diff --git a/src/core/verifier/builder/mod.rs b/src/core/verifier/builder/mod.rs new file mode 100644 index 0000000..3c209f7 --- /dev/null +++ b/src/core/verifier/builder/mod.rs @@ -0,0 +1,255 @@ +use anyhow::{bail, Context, Result}; +use ssi::did_resolve::DIDResolver; +use tracing::{debug, warn}; +use url::Url; +use x509_cert::{ + ext::pkix::{name::GeneralName, SubjectAltName}, + Certificate, +}; + +use crate::core::{ + authorization_request::{ + parameters::ClientId, AuthorizationRequest, AuthorizationRequestObject, RequestIndirection, + }, + metadata::{parameters::wallet::AuthorizationEndpoint, WalletMetadata}, + object::{ParsingErrorContext, TypedParameter, UntypedObject}, + profile::Verifier, +}; + +use self::{by_reference::ByReference, client::Client}; + +use super::{ + request_signer::{P256Signer, RequestSigner}, + Session, +}; + +mod by_reference; +mod client; + +#[derive(Debug, Clone)] +pub struct SessionBuilder { + wallet_metadata: WalletMetadata, + client: Option>, + pass_by_reference: ByReference, + request_params: UntypedObject, + profile: P, +} + +impl SessionBuilder { + pub fn new(profile: P, wallet_metadata: WalletMetadata) -> Self { + Self { + wallet_metadata, + client: None, + pass_by_reference: ByReference::False, + request_params: UntypedObject::default(), + profile, + } + } + + pub async fn build(self) -> Result> { + let Self { + wallet_metadata, + client, + pass_by_reference, + mut request_params, + profile, + } = self; + + let authorization_endpoint = wallet_metadata + .get::() + .parsing_error()? + .0; + + let Some(client) = client else { + bail!("client is required, see `with_X_client_id` functions") + }; + + let client_id = client.id(); + let client_id_scheme = client.scheme(); + if !wallet_metadata + .client_id_schemes_supported() + .0 + .contains(client_id_scheme) + { + bail!("wallet does not support client_id_scheme '{client_id_scheme}'") + } + + let _ = request_params.insert(client_id.clone()); + let _ = request_params.insert(client_id_scheme.clone()); + + let request_object: AuthorizationRequestObject = request_params + .try_into() + .context("unable to construct Authorization Request Object from provided parameters")?; + + profile.validate_request(&wallet_metadata, &request_object)?; + + let request_object_jwt = client.generate_request_object_jwt(&request_object).await?; + + let request_indirection = match pass_by_reference { + ByReference::False => RequestIndirection::ByValue(request_object_jwt.clone()), + ByReference::True { at } => RequestIndirection::ByReference(at), + }; + + let authorization_request = AuthorizationRequest { + client_id: client_id.0.clone(), + request_indirection, + } + .to_url(authorization_endpoint)?; + + Ok(Session { + profile, + authorization_request, + request_object, + request_object_jwt, + }) + } + + /// Encode the Authorization Request directly in the `request` parameter. + pub fn by_value(mut self) -> Self { + self.pass_by_reference = ByReference::False; + self + } + + /// Pass the Authorization Request by reference in the `request_uri` parameter. + pub fn by_reference(mut self, at: Url) -> Self { + self.pass_by_reference = ByReference::True { at }; + self + } + + pub fn presentation_builder() -> P::PresentationBuilder { + P::PresentationBuilder::default() + } + + pub fn with_request_parameter(mut self, t: T) -> Self { + self.request_params.insert(t); + self + } + + /// Configure the [ClientId] and set the [ClientIdScheme] to `did`. + pub async fn with_did_client_id_and_resolver( + self, + vm: String, + signer: T, + resolver: &dyn DIDResolver, + ) -> Result> { + let (id, _f) = vm.rsplit_once('#').context(format!( + "expected a DID verification method, received '{vm}'" + ))?; + + let key = ssi::did_resolve::resolve_key(&vm, resolver) + .await + .context("unable to resolve key from verification method")?; + + if &key != signer.jwk() { + bail!( + "verification method resolved from DID document did not match public key of signer" + ) + } + + let SessionBuilder { + wallet_metadata, + pass_by_reference, + request_params, + profile, + .. + } = self; + + let client = Some(Client::Did { + id: ClientId(id.to_string()), + vm, + signer, + }); + + Ok(SessionBuilder { + wallet_metadata, + client, + pass_by_reference, + request_params, + profile, + }) + } + + /// Configure the [ClientId] and set the [ClientIdScheme] to `x509_san_dns`. + pub fn with_x509_san_dns_client_id(mut self, x5c: Vec, signer: S) -> Result { + // TODO: Check certificate chain. + let leaf = &x5c[0]; + let id = if let Some(san) = leaf + .tbs_certificate + .filter::() + .filter_map(|r| match r { + Ok((_crit, san)) => Some(san.0.into_iter()), + Err(e) => { + debug!("unable to parse SubjectAlternativeName from DER: {e}"); + None + } + }) + .flatten() + .filter_map(|gn| match gn { + GeneralName::DnsName(uri) => Some(uri.to_string()), + _ => { + debug!("found non-DNS SAN: {gn:?}"); + None + } + }) + .next() + { + san + } else { + bail!("x509 certificate does not contain Subject Alternative Name"); + }; + self.client = Some(Client::X509SanUri { + id: ClientId(id), + x5c, + signer, + }); + Ok(self) + } + + /// Configure the [ClientId] and set the [ClientIdScheme] to `x509_san_uri`. + pub fn with_x509_san_uri_client_id(mut self, x5c: Vec, signer: S) -> Result { + // TODO: Check certificate chain. + let leaf = &x5c[0]; + let id = if let Some(san) = leaf + .tbs_certificate + .filter::() + .filter_map(|r| match r { + Ok((_crit, san)) => Some(san.0.into_iter()), + Err(e) => { + debug!("unable to parse SubjectAlternativeName from DER: {e}"); + None + } + }) + .flatten() + .filter_map(|gn| match gn { + GeneralName::UniformResourceIdentifier(uri) => Some(uri.to_string()), + _ => { + debug!("found non-URI SAN: {gn:?}"); + None + } + }) + .next() + { + san + } else { + let Some(cn) = leaf + .tbs_certificate + .subject + .0 + .iter() + .flat_map(|n| n.0.iter()) + .filter_map(|n| n.to_string().strip_prefix("CN=").map(ToOwned::to_owned)) + .next() + else { + bail!("x509 certificate does not contain Subject Alternative Name or Common Name"); + }; + warn!("x509 certificate does not contain Subject Alternative Name, falling back to Common Name for client_id"); + cn + }; + self.client = Some(Client::X509SanUri { + id: ClientId(id), + x5c, + signer, + }); + Ok(self) + } +} diff --git a/src/core/verifier/mod.rs b/src/core/verifier/mod.rs new file mode 100644 index 0000000..146a107 --- /dev/null +++ b/src/core/verifier/mod.rs @@ -0,0 +1,33 @@ +use serde::{Deserialize, Serialize}; +use url::Url; + +use self::builder::SessionBuilder; + +use crate::core::{ + authorization_request::AuthorizationRequestObject, metadata::WalletMetadata, profile::Verifier, +}; + +pub mod builder; +pub mod request_signer; + +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct Session { + profile: P, + authorization_request: Url, + request_object: AuthorizationRequestObject, + request_object_jwt: String, +} + +impl Session

{ + pub fn builder(profile: P, wallet_metadata: WalletMetadata) -> SessionBuilder

{ + SessionBuilder::new(profile, wallet_metadata) + } + + pub fn authorization_request(&self) -> &Url { + &self.authorization_request + } + + pub fn request_object_jwt(&self) -> &str { + &self.request_object_jwt + } +} diff --git a/src/core/verifier/request_signer.rs b/src/core/verifier/request_signer.rs new file mode 100644 index 0000000..0684da7 --- /dev/null +++ b/src/core/verifier/request_signer.rs @@ -0,0 +1,42 @@ +use anyhow::Result; +use async_trait::async_trait; +use p256::ecdsa::{signature::Signer, Signature, SigningKey}; +use ssi::jwk::JWK; + +#[async_trait] +pub trait RequestSigner { + /// The algorithm that will be used to sign. + fn alg(&self) -> &str; + /// The public JWK of the signer. + fn jwk(&self) -> &JWK; + async fn sign(&self, payload: &[u8]) -> Vec; +} + +pub struct P256Signer { + key: SigningKey, + jwk: JWK, +} + +impl P256Signer { + pub fn new(key: SigningKey) -> Result { + let pk: p256::PublicKey = key.verifying_key().into(); + let jwk = serde_json::from_str(&pk.to_jwk_string())?; + Ok(Self { key, jwk }) + } +} + +#[async_trait] +impl RequestSigner for P256Signer { + fn alg(&self) -> &str { + "ES256" + } + + fn jwk(&self) -> &JWK { + &self.jwk + } + + async fn sign(&self, payload: &[u8]) -> Vec { + let sig: Signature = self.key.sign(payload); + sig.to_vec() + } +} diff --git a/src/core/wallet/mod.rs b/src/core/wallet/mod.rs new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/src/core/wallet/mod.rs @@ -0,0 +1 @@ + diff --git a/src/lib.rs b/src/lib.rs index 7fa2eb1..1628086 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,2 +1,3 @@ +pub mod core; pub mod presentation_exchange; -mod utils; +pub mod utils; diff --git a/src/presentation_exchange.rs b/src/presentation_exchange.rs index 83e106a..7eced07 100644 --- a/src/presentation_exchange.rs +++ b/src/presentation_exchange.rs @@ -1,13 +1,17 @@ -use serde::{Deserialize, Serialize}; -use serde_json::Map; - use crate::utils::NonEmptyVec; +use serde::{Deserialize, Serialize}; +use serde_json::{Map, Value}; // TODO does openidconnect have a Request type? #[derive(Debug, Deserialize)] pub struct ResponseRequest { - id_token: serde_json::Value, // IdTokenSIOP, // CoreIdTokenClaims, - vp_token: VpToken, + _id_token: serde_json::Value, // IdTokenSIOP, // CoreIdTokenClaims, + _vp_token: VpToken, +} + +#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)] +pub struct MdlVpToken { + pub presentation_submission: PresentationSubmission, } #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)] @@ -20,6 +24,15 @@ pub struct VpToken { pub presentation_definition: PresentationDefinition, } +#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)] +pub struct RequestObject { + pub presentation_definition: PresentationDefinition, + pub presentation_definition_uri: Option, + pub client_id_scheme: Option, + pub client_metadata: Option, + pub client_metadata_uri: Option, +} + #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)] pub struct PresentationDefinition { pub id: String, // Uuid, @@ -69,6 +82,32 @@ pub struct ConstraintsField { pub filter: Option, // TODO JSONSchema validation at deserialization time #[serde(skip_serializing_if = "Option::is_none")] pub optional: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub intent_to_retain: Option, +} + +pub type ConstraintsFields = Vec; + +impl ConstraintsField { + pub fn new( + path: NonEmptyVec, + id: Option, + purpose: Option, + name: Option, + filter: Option, + optional: Option, + intent_to_retain: Option, + ) -> ConstraintsField { + ConstraintsField { + path, + id, + purpose, + name, + filter, + optional, + intent_to_retain, + } + } } #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)] @@ -80,25 +119,25 @@ pub enum ConstraintsLimitDisclosure { #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)] pub struct PresentationSubmission { - id: String, - definition_id: String, - descriptor_map: Vec, + pub id: String, + pub definition_id: String, + pub descriptor_map: Vec, } #[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)] pub struct DescriptorMap { - id: String, - format: String, // TODO should be enum of supported formats - path: String, - path_nested: Option>, + pub id: String, + pub format: String, // TODO should be enum of supported formats + pub path: String, + //pub path_nested: Option>, } #[derive(Deserialize)] pub struct SubmissionRequirementBaseBase { - name: Option, - purpose: Option, + _name: Option, + _purpose: Option, #[serde(flatten)] - property_set: Option>, + _property_set: Option>, } #[derive(Deserialize)] @@ -126,10 +165,10 @@ pub enum SubmissionRequirement { #[derive(Deserialize)] pub struct SubmissionRequirementPick { #[serde(flatten)] - submission_requirement: SubmissionRequirementBase, - count: Option, - min: Option, - max: Option, + _submission_requirement: SubmissionRequirementBase, + _count: Option, + _min: Option, + _max: Option, } #[cfg(test)] @@ -187,7 +226,7 @@ pub(crate) mod tests { #[derive(Deserialize)] pub struct PresentationDefinitionTest { - presentation_definition: PresentationDefinition, + _presentation_definition: PresentationDefinition, } #[test] @@ -198,7 +237,7 @@ pub(crate) mod tests { let path = path.unwrap().path(); if let Some(ext) = path.extension() { if ext != OsStr::new("json") - || vec!["VC_expiration_example.json", "VC_revocation_example.json"] // TODO bad format + || ["VC_expiration_example.json", "VC_revocation_example.json"] // TODO bad format .contains(&path.file_name().unwrap().to_str().unwrap()) { continue; @@ -217,7 +256,7 @@ pub(crate) mod tests { // TODO use VP type? #[derive(Deserialize)] pub struct PresentationSubmissionTest { - presentation_submission: PresentationSubmission, + _presentation_submission: PresentationSubmission, } #[test] @@ -228,7 +267,7 @@ pub(crate) mod tests { let path = path.unwrap().path(); if let Some(ext) = path.extension() { if ext != OsStr::new("json") - || vec![ + || [ "appendix_DIDComm_example.json", "appendix_CHAPI_example.json", ] @@ -249,7 +288,7 @@ pub(crate) mod tests { #[derive(Deserialize)] pub struct SubmissionRequirementsTest { - submission_requirements: Vec, + _submission_requirements: Vec, } #[test] @@ -260,7 +299,7 @@ pub(crate) mod tests { let path = path.unwrap().path(); if let Some(ext) = path.extension() { if ext != OsStr::new("json") - || vec!["schema.json"].contains(&path.file_name().unwrap().to_str().unwrap()) + || ["schema.json"].contains(&path.file_name().unwrap().to_str().unwrap()) { continue; } diff --git a/src/utils.rs b/src/utils.rs index 179b436..fe6e4f6 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -1,5 +1,9 @@ -use jsonpath_rust::JsonPathInst; +use anyhow; +use josekit::JoseError; +use reqwest::Error as ReqwestError; use serde::{Deserialize, Serialize}; +use serde_cbor::Error as CborError; +use ssi::jws::Error as JwsError; use std::ops::Deref; // #[derive(Clone)] @@ -10,9 +14,69 @@ use std::ops::Deref; pub struct NonEmptyVec(Vec); #[derive(Debug, thiserror::Error)] -pub enum Error { - #[error("cannot construct a non-empty vec from an empty vec")] - Empty, +pub enum Openid4vpError { + #[error( + "The request is missing a required parameter, includes an + invalid parameter value, includes a parameter more than + once, or is otherwise malformed." + )] + InvalidRequest, + #[error( + "The client is not authorized to request an authorization + code using this method" + )] + UnauthorizedClient, + #[error( + "The resource owner or authorization server denied the + request." + )] + AccessDenied, + #[error( + "The authorization server does not support obtaining an + authorization code using this method." + )] + UnnsupportedResponseType, + #[error("Requested scope value is invalid, unknown, or malformed.")] + InvalidScope, + #[error( + "The server encountered an unexpected + condition that prevented it from fulfilling the request." + )] + ServerError, + #[error( + "The server is currently unable to handle + the request due to a temporary overloading or maintenance + of the server." + )] + TemporarilyUnavailable, + #[error("Verifier's pre-registered metadata has been found based on the Client Identifier, but client_metadata parameter is also present.")] + InvalidClient, + #[error("The Wallet does not support any of the formats requested by the Verifier")] + VpFormatsNotSupported, + #[error("The Presentation Definition URL cannot be reached.")] + InvalidPresentationDefinitionUri, + #[error("The Presentation Definition URL can be reached, but the specified presentation_definition cannot be found at the URL.")] + InvalidPresentationDefinitionReference, + #[error("{0}")] + Empty(String), + #[error("Field requested that cannot be mapped to an ISO18013-5 mDL field")] + UnrecognizedField, + #[error("Could not encode or decode cbor")] + CborError, + #[error("Could not instantiate session manager")] + OID4VPError, + #[error("Isomdl error {0}")] + IsomdlError(String), + #[error("The requested encryption algorithm is not supported.")] + UnsupportedEncryptionAlgorithm, + #[error("The requested encryption encoding is not supported.")] + UnsupportedEncryptionEncoding, + #[error("There is an error in the base64 encoding.")] + DecodingError, + #[error("JoseError {0}")] + JoseError(String), + #[error("ResponseError {0}")] + ResponseError(String), } impl NonEmptyVec { @@ -34,11 +98,13 @@ impl NonEmptyVec { } impl TryFrom> for NonEmptyVec { - type Error = Error; + type Error = Openid4vpError; - fn try_from(v: Vec) -> Result, Error> { + fn try_from(v: Vec) -> Result, Openid4vpError> { if v.is_empty() { - return Err(Error::Empty); + return Err(Openid4vpError::Empty( + "Can not create a NonEmptyVec from an empty Vec".to_string(), + )); } Ok(NonEmptyVec(v)) } @@ -63,3 +129,75 @@ impl Deref for NonEmptyVec { &self.0 } } + +impl From for Openid4vpError { + fn from(_value: JwsError) -> Self { + Openid4vpError::UnrecognizedField + } +} + +impl From for Openid4vpError { + fn from(_value: CborError) -> Self { + Openid4vpError::CborError + } +} + +impl From for Openid4vpError { + fn from(value: anyhow::Error) -> Self { + Openid4vpError::Empty(value.to_string()) + } +} + +impl From for Openid4vpError { + fn from(value: JoseError) -> Self { + Openid4vpError::JoseError(value.to_string()) + } +} + +impl From for Openid4vpError { + fn from(_value: reqwest::Error) -> Self { + Openid4vpError::InvalidRequest + } +} + +impl From for Openid4vpError { + fn from(value: serde_json::Error) -> Self { + Openid4vpError::Empty(value.to_string()) + } +} + +impl From for Openid4vpError { + fn from(_value: x509_cert::der::Error) -> Self { + Openid4vpError::InvalidRequest + } +} + +impl From for Openid4vpError { + fn from(_value: ssi::jwk::Error) -> Self { + Openid4vpError::InvalidRequest + } +} + +impl From for Openid4vpError { + fn from(_value: base64::DecodeError) -> Self { + Openid4vpError::DecodingError + } +} + +impl From for Openid4vpError { + fn from(_value: String) -> Self { + Openid4vpError::OID4VPError + } +} + +impl From for Openid4vpError { + fn from(value: p256::ecdsa::Error) -> Self { + Openid4vpError::JoseError(value.to_string()) + } +} + +impl From for Openid4vpError { + fn from(value: x509_cert::spki::Error) -> Self { + Openid4vpError::ResponseError(value.to_string()) + } +}