feat: client attestation enhancements

Signed-off-by: Andrii Holovko <[email protected]>

cmd/vc-rest/startcmd/start.go

@@ -689,10 +689,9 @@ func buildEchoHandler(
 
 	trustRegistryService := trustregistry.NewService(
 		&trustregistry.Config{
-			HTTPClient:       getHTTPClient(metricsProvider.ClientAttestationService),
-			DocumentLoader:   documentLoader,
-			ProofChecker:     proofChecker,
-			VCStatusVerifier: verifyCredentialSvc,
+			HTTPClient:     getHTTPClient(metricsProvider.ClientAttestationService),
+			DocumentLoader: documentLoader,
+			ProofChecker:   proofChecker,
 		},
 	)
 
@@ -880,10 +879,9 @@ func buildEchoHandler(
 	var verifyPresentationSvc verifypresentation.ServiceInterface
 
 	verifyPresentationSvc = verifypresentation.New(&verifypresentation.Config{
-		VcVerifier:           verifyCredentialSvc,
-		DocumentLoader:       documentLoader,
-		VDR:                  conf.VDR,
-		TrustRegistryService: trustRegistryService,
+		VcVerifier:     verifyCredentialSvc,
+		DocumentLoader: documentLoader,
+		VDR:            conf.VDR,
 	})
 
 	if conf.IsTraceEnabled {
@@ -954,6 +952,7 @@ func buildEchoHandler(
 		DocumentLoader:           documentLoader,
 		ProfileService:           verifierProfileSvc,
 		PresentationVerifier:     verifyPresentationSvc,
+		TrustRegistryService:     trustRegistryService,
 		RedirectURL:              conf.StartupParameters.apiGatewayURL + oidc4VPCheckEndpoint,
 		TokenLifetime:            15 * time.Minute,
 		Metrics:                  metrics,

component/wallet-cli/cmd/attest_wallet_cmd.go

@@ -8,16 +8,16 @@ package cmd
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"net/http"
 
+	"github.com/piprate/json-gold/ld"
 	"github.com/spf13/cobra"
+	storageapi "github.com/trustbloc/kms-go/spi/storage"
+	"github.com/trustbloc/kms-go/wrapper/api"
 
 	"github.com/trustbloc/vcs/component/wallet-cli/pkg/attestation"
-	jwssigner "github.com/trustbloc/vcs/component/wallet-cli/pkg/signer"
 	"github.com/trustbloc/vcs/component/wallet-cli/pkg/wallet"
-	kmssigner "github.com/trustbloc/vcs/pkg/kms/signer"
 )
 
 type attestCommandFlags struct {
@@ -58,37 +58,23 @@ func NewAttestWalletCommand() *cobra.Command {
 				didInfo = w.DIDs()[len(w.DIDs())-1]
 			}
 
-			signer, err := svc.CryptoSuite().FixedKeyMultiSigner(didInfo.KeyID)
-			if err != nil {
-				return fmt.Errorf("create signer: %w", err)
-			}
-
-			jwsSigner := jwssigner.NewJWSSigner(
-				fmt.Sprintf("%s#%s", didInfo.ID, didInfo.KeyID),
-				string(w.SignatureType()),
-				kmssigner.NewKMSSigner(signer, w.SignatureType(), nil),
-			)
-
-			attestationVC, err := attestation.NewClient(
-				&attestation.Config{
-					HTTPClient:     httpClient,
-					DocumentLoader: svc.DocumentLoader(),
-					Signer:         jwsSigner,
-					WalletDID:      didInfo.ID,
-					AttestationURL: flags.attestationURL,
+			attestationService, err := attestation.NewService(
+				&attestationServiceProvider{
+					storageProvider: svc.StorageProvider(),
+					httpClient:      httpClient,
+					documentLoader:  svc.DocumentLoader(),
+					cryptoSuite:     svc.CryptoSuite(),
 				},
-			).GetAttestationVC(context.Background())
-			if err != nil {
-				return fmt.Errorf("get attestation vc: %w", err)
-			}
-
-			vcBytes, err := json.Marshal(attestationVC)
+				flags.attestationURL,
+				didInfo,
+				w.SignatureType(),
+			)
 			if err != nil {
-				return fmt.Errorf("marshal attestation vc: %w", err)
+				return fmt.Errorf("create attestation service: %w", err)
 			}
 
-			if err = w.Add(vcBytes); err != nil {
-				return fmt.Errorf("add attestation vc to wallet: %w", err)
+			if _, err = attestationService.GetAttestation(context.Background()); err != nil {
+				return fmt.Errorf("get attestation: %w", err)
 			}
 
 			return nil
@@ -103,3 +89,26 @@ func NewAttestWalletCommand() *cobra.Command {
 
 	return cmd
 }
+
+type attestationServiceProvider struct {
+	storageProvider storageapi.Provider
+	httpClient      *http.Client
+	documentLoader  ld.DocumentLoader
+	cryptoSuite     api.Suite
+}
+
+func (p *attestationServiceProvider) StorageProvider() storageapi.Provider {
+	return p.storageProvider
+}
+
+func (p *attestationServiceProvider) HTTPClient() *http.Client {
+	return p.httpClient
+}
+
+func (p *attestationServiceProvider) DocumentLoader() ld.DocumentLoader {
+	return p.documentLoader
+}
+
+func (p *attestationServiceProvider) CryptoSuite() api.Suite {
+	return p.cryptoSuite
+}

component/wallet-cli/cmd/oidc4vci_cmd.go

@@ -22,7 +22,9 @@ import (
 	"github.com/trustbloc/kms-go/wrapper/api"
 
 	"github.com/trustbloc/vcs/component/wallet-cli/internal/formatter"
+	"github.com/trustbloc/vcs/component/wallet-cli/pkg/attestation"
 	"github.com/trustbloc/vcs/component/wallet-cli/pkg/oidc4vci"
+	"github.com/trustbloc/vcs/component/wallet-cli/pkg/trustregistry"
 	"github.com/trustbloc/vcs/component/wallet-cli/pkg/wallet"
 	"github.com/trustbloc/vcs/component/wallet-cli/pkg/wellknown"
 	vcsverifiable "github.com/trustbloc/vcs/pkg/doc/verifiable"
@@ -54,7 +56,8 @@ type oidc4vciCommandFlags struct {
 	enableDiscoverableClientID bool
 	enableTracing              bool
 	proxyURL                   string
-	trustRegistryURL           string
+	trustRegistryHost          string
+	attestationURL             string
 }
 
 func NewOIDC4VCICommand() *cobra.Command {
@@ -154,19 +157,47 @@ func NewOIDC4VCICommand() *cobra.Command {
 				}
 			}
 
+			var walletDIDIndex int
+
+			if flags.walletDIDIndex != -1 {
+				walletDIDIndex = flags.walletDIDIndex
+			} else {
+				walletDIDIndex = len(w.DIDs()) - 1
+			}
+
+			attestationService, err := attestation.NewService(
+				&attestationServiceProvider{
+					storageProvider: svc.StorageProvider(),
+					httpClient:      httpClient,
+					documentLoader:  svc.DocumentLoader(),
+					cryptoSuite:     svc.CryptoSuite(),
+				},
+				flags.attestationURL,
+				w.DIDs()[walletDIDIndex],
+				w.SignatureType(),
+			)
+			if err != nil {
+				return fmt.Errorf("create attestation service: %w", err)
+			}
+
 			wellKnownService := &wellknown.Service{
 				HTTPClient:  httpClient,
 				VDRRegistry: svc.VDR(),
 			}
 
 			provider := &oidc4vciProvider{
-				storageProvider:  svc.StorageProvider(),
-				httpClient:       httpClient,
-				documentLoader:   svc.DocumentLoader(),
-				vdrRegistry:      svc.VDR(),
-				cryptoSuite:      svc.CryptoSuite(),
-				wallet:           w,
-				wellKnownService: wellKnownService,
+				storageProvider:    svc.StorageProvider(),
+				httpClient:         httpClient,
+				documentLoader:     svc.DocumentLoader(),
+				vdrRegistry:        svc.VDR(),
+				cryptoSuite:        svc.CryptoSuite(),
+				attestationService: attestationService,
+				wallet:             w,
+				wellKnownService:   wellKnownService,
+			}
+
+			if flags.trustRegistryHost != "" {
+				provider.trustRegistry = trustregistry.NewClient(httpClient, flags.trustRegistryHost)
 			}
 
 			var flow *oidc4vci.Flow
@@ -175,7 +206,6 @@ func NewOIDC4VCICommand() *cobra.Command {
 				oidc4vci.WithCredentialType(flags.credentialType),
 				oidc4vci.WithOIDCCredentialFormat(flags.oidcCredentialFormat),
 				oidc4vci.WithClientID(flags.clientID),
-				oidc4vci.WithTrustRegistryURL(flags.trustRegistryURL),
 			}
 
 			if walletInitiatedFlow {
@@ -184,14 +214,6 @@ func NewOIDC4VCICommand() *cobra.Command {
 				opts = append(opts, oidc4vci.WithCredentialOffer(credentialOffer))
 			}
 
-			var walletDIDIndex int
-
-			if flags.walletDIDIndex != -1 {
-				walletDIDIndex = flags.walletDIDIndex
-			} else {
-				walletDIDIndex = len(w.DIDs()) - 1
-			}
-
 			if flags.proofType == "cwt" {
 				opts = append(opts, oidc4vci.WithProofBuilder(
 					oidc4vci.NewCWTProofBuilder(),
@@ -280,7 +302,8 @@ func NewOIDC4VCICommand() *cobra.Command {
 	cmd.Flags().StringVar(&flags.issuerState, "issuer-state", "", "issuer state in wallet-initiated flow")
 	cmd.Flags().StringVar(&flags.pin, "pin", "", "pin for pre-authorized code flow")
 	cmd.Flags().BoolVar(&flags.enableDiscoverableClientID, "enable-discoverable-client-id", false, "enables discoverable client id scheme for dynamic client registration")
-	cmd.Flags().StringVar(&flags.trustRegistryURL, "trust-registry-url", "", "if supplied, wallet will run issuer verification in trust registry")
+	cmd.Flags().StringVar(&flags.attestationURL, "attestation-url", "", "attestation url with profile id and profile version, i.e. <host>/profiles/{profileID}/{profileVersion}/wallet/attestation")
+	cmd.Flags().StringVar(&flags.trustRegistryHost, "trust-registry-host", "", "<trust-registry-host>/wallet/interactions/issuance to validate that the issuer is trusted according to policy")
 
 	cmd.Flags().BoolVar(&flags.enableTracing, "enable-tracing", false, "enables http tracing")
 	cmd.Flags().StringVar(&flags.proxyURL, "proxy-url", "", "proxy url for http client")
@@ -291,13 +314,15 @@ func NewOIDC4VCICommand() *cobra.Command {
 }
 
 type oidc4vciProvider struct {
-	storageProvider  storageapi.Provider
-	httpClient       *http.Client
-	documentLoader   ld.DocumentLoader
-	vdrRegistry      vdrapi.Registry
-	cryptoSuite      api.Suite
-	wallet           *wallet.Wallet
-	wellKnownService *wellknown.Service
+	storageProvider    storageapi.Provider
+	httpClient         *http.Client
+	documentLoader     ld.DocumentLoader
+	vdrRegistry        vdrapi.Registry
+	cryptoSuite        api.Suite
+	attestationService *attestation.Service
+	trustRegistry      *trustregistry.Client
+	wallet             *wallet.Wallet
+	wellKnownService   *wellknown.Service
 }
 
 func (p *oidc4vciProvider) StorageProvider() storageapi.Provider {
@@ -320,6 +345,14 @@ func (p *oidc4vciProvider) CryptoSuite() api.Suite {
 	return p.cryptoSuite
 }
 
+func (p *oidc4vciProvider) AttestationService() oidc4vci.AttestationService {
+	return p.attestationService
+}
+
+func (p *oidc4vciProvider) TrustRegistry() oidc4vci.TrustRegistry {
+	return p.trustRegistry
+}
+
 func (p *oidc4vciProvider) Wallet() *wallet.Wallet {
 	return p.wallet
 }