feat: Signed credential offer for Issuance (#1407)

Signed-off-by: Mykhailo Sizov <[email protected]>
trustbloc · Sep 8, 2023 · 9833912 · 9833912
1 parent 368c3c1
commit 9833912
Show file tree

Hide file tree

Showing 16 changed files with 729 additions and 54 deletions.
diff --git a/cmd/vc-rest/startcmd/start.go b/cmd/vc-rest/startcmd/start.go
@@ -657,6 +657,8 @@ func buildEchoHandler(
 		PreAuthCodeTTL:                conf.StartupParameters.transientDataParams.claimDataTTL,
 		CredentialOfferReferenceStore: credentialOfferStore,
 		DataProtector:                 claimsDataProtector,
+		KMSRegistry:                   kmsRegistry,
+		CryptoJWTSigner:               vcCrypto,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to instantiate new oidc4ci service: %w", err)
@@ -932,6 +934,10 @@ type credentialOfferReferenceStore interface {
 		ctx context.Context,
 		request *oidc4ci.CredentialOfferResponse,
 	) (string, error)
+	CreateJWT(
+		ctx context.Context,
+		credentialOfferJWT string,
+	) (string, error)
 }
 
 func getOIDC4VPClaimsStore(

diff --git a/component/wallet-cli/pkg/credentialoffer/credentialoffer.go b/component/wallet-cli/pkg/credentialoffer/credentialoffer.go
@@ -3,23 +3,39 @@ package credentialoffer
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 
+	"github.com/hyperledger/aries-framework-go/component/models/jwt"
+	"github.com/hyperledger/aries-framework-go/component/models/verifiable"
+	vdrapi "github.com/hyperledger/aries-framework-go/component/vdr/api"
+	"github.com/valyala/fastjson"
+
 	"github.com/trustbloc/vcs/pkg/service/oidc4ci"
 )
 
-func ParseInitiateIssuanceUrl(rawURL string, client *http.Client) (*oidc4ci.CredentialOfferResponse, error) {
+func ParseInitiateIssuanceUrl(rawURL string, client *http.Client, vdrRegistry vdrapi.Registry) (*oidc4ci.CredentialOfferResponse, error) {
 	initiateIssuanceURLParsed, err := url.Parse(rawURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse url %w", err)
 	}
 
-	credentialOfferURL := initiateIssuanceURLParsed.Query().Get("credential_offer")
 	var offerResponse oidc4ci.CredentialOfferResponse
+	var credentialOfferPayload []byte
+
+	if credentialOfferQueryParam := initiateIssuanceURLParsed.Query().Get("credential_offer"); len(credentialOfferQueryParam) > 0 {
+		credentialOfferPayload = []byte(credentialOfferQueryParam)
+		// Depends on Issuer configuration, credentialOfferURL might be either JWT signed CredentialOfferResponse,
+		// or encoded oidc4ci.CredentialOfferResponse itself.
+		if jwt.IsJWS(credentialOfferQueryParam) {
+			credentialOfferPayload, err = getCredentialOfferJWTPayload(credentialOfferQueryParam, vdrRegistry)
+			if err != nil {
+				return nil, err
+			}
+		}
 
-	if len(credentialOfferURL) > 0 {
-		if err = json.Unmarshal([]byte(credentialOfferURL), &offerResponse); err != nil {
+		if err = json.Unmarshal(credentialOfferPayload, &offerResponse); err != nil {
 			return nil, fmt.Errorf("can not parse credential offer. %w", err)
 		}
 
@@ -37,9 +53,51 @@ func ParseInitiateIssuanceUrl(rawURL string, client *http.Client) (*oidc4ci.Cred
 	}
 
 	defer resp.Body.Close()
-	if err = json.NewDecoder(resp.Body).Decode(&offerResponse); err != nil {
+
+	credentialOfferPayload, err = io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("read credential_offer_uriresponse body: %w", err)
+	}
+
+	// Depends on Issuer configuration, rspBody might be either JWT signed CredentialOfferResponse,
+	// or encoded oidc4ci.CredentialOfferResponse itself.
+	if jwt.IsJWS(string(credentialOfferPayload)) {
+		credentialOfferPayload, err = getCredentialOfferJWTPayload(string(credentialOfferPayload), vdrRegistry)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if err = json.Unmarshal(credentialOfferPayload, &offerResponse); err != nil {
 		return nil, err
 	}
 
 	return &offerResponse, nil
 }
+
+func getCredentialOfferJWTPayload(rawResponse string, vdrRegistry vdrapi.Registry) ([]byte, error) {
+	jwtVerifier := jwt.NewVerifier(jwt.KeyResolverFunc(
+		verifiable.NewVDRKeyResolver(vdrRegistry).PublicKeyFetcher()))
+
+	_, credentialOfferPayload, err := jwt.Parse(
+		rawResponse,
+		jwt.WithSignatureVerifier(jwtVerifier),
+		jwt.WithIgnoreClaimsMapDecoding(true),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("parse credential offer JWT: %w", err)
+	}
+
+	var fastParser fastjson.Parser
+	v, err := fastParser.ParseBytes(credentialOfferPayload)
+	if err != nil {
+		return nil, fmt.Errorf("decode claims: %w", err)
+	}
+
+	sb, err := v.Get("credential_offer").Object()
+	if err != nil {
+		return nil, fmt.Errorf("fastjson.Parser Get credential_offer: %w", err)
+	}
+
+	return sb.MarshalTo([]byte{}), nil
+}
diff --git a/component/wallet-cli/pkg/walletrunner/wallet_runner_oidc4ci.go b/component/wallet-cli/pkg/walletrunner/wallet_runner_oidc4ci.go
@@ -72,9 +72,16 @@ func (s *Service) RunOIDC4CI(config *OIDC4CIConfig, hooks *Hooks) error {
 	log.Println("Starting OIDC4VCI authorized code flow")
 	ctx := context.Background()
 	log.Printf("Initiate issuance URL:\n\n\t%s\n\n", config.InitiateIssuanceURL)
+
+	err := s.CreateWallet()
+	if err != nil {
+		return fmt.Errorf("create wallet: %w", err)
+	}
+
 	offerResponse, err := credentialoffer.ParseInitiateIssuanceUrl(
 		config.InitiateIssuanceURL,
 		s.httpClient,
+		s.ariesServices.vdrRegistry,
 	)
 	if err != nil {
 		return fmt.Errorf("parse initiate issuance url: %w", err)
@@ -193,11 +200,6 @@ func (s *Service) RunOIDC4CI(config *OIDC4CIConfig, hooks *Hooks) error {
 
 	s.token = token
 
-	err = s.CreateWallet()
-	if err != nil {
-		return fmt.Errorf("create wallet: %w", err)
-	}
-
 	s.print("Getting credential")
 	vc, _, err := s.getCredential(
 		oidcIssuerCredentialConfig.CredentialEndpoint,

diff --git a/component/wallet-cli/pkg/walletrunner/wallet_runner_oidc4ci_pre_auth.go b/component/wallet-cli/pkg/walletrunner/wallet_runner_oidc4ci_pre_auth.go
@@ -30,14 +30,26 @@ func (s *Service) RunOIDC4CIPreAuth(config *OIDC4CIConfig) (*verifiable.Credenti
 	log.Println("Starting OIDC4VCI pre-authorized code flow")
 
 	ctx := context.Background()
+
+	startTime := time.Now()
+	err := s.CreateWallet()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create wallet: %w", err)
+	}
+	s.perfInfo.CreateWallet = time.Since(startTime)
+
 	log.Printf("Initiate issuance URL:\n\n\t%s\n\n", config.InitiateIssuanceURL)
-	offerResponse, err := credentialoffer.ParseInitiateIssuanceUrl(config.InitiateIssuanceURL, s.httpClient)
+	offerResponse, err := credentialoffer.ParseInitiateIssuanceUrl(
+		config.InitiateIssuanceURL,
+		s.httpClient,
+		s.ariesServices.vdrRegistry,
+	)
 	if err != nil {
 		return nil, fmt.Errorf("parse initiate issuance url: %w", err)
 	}
 
 	s.print("Getting issuer OIDC config")
-	startTime := time.Now()
+	startTime = time.Now()
 	oidcConfig, err := s.getIssuerOIDCConfig(ctx, offerResponse.CredentialIssuer)
 	s.perfInfo.VcsCIFlowDuration += time.Since(startTime) // oidc config
 	s.perfInfo.GetIssuerOIDCConfig = time.Since(startTime)
@@ -106,13 +118,6 @@ func (s *Service) RunOIDC4CIPreAuth(config *OIDC4CIConfig) (*verifiable.Credenti
 		"c_nonce": *token.CNonce,
 	})
 
-	startTime = time.Now()
-	err = s.CreateWallet()
-	if err != nil {
-		return nil, fmt.Errorf("failed to create wallet: %w", err)
-	}
-	s.perfInfo.CreateWallet = time.Since(startTime)
-
 	s.print("Getting credential")
 	startTime = time.Now()
 	vc, vcsDuration, err := s.getCredential(credentialsEndpoint, config.CredentialType, config.CredentialFormat,

diff --git a/pkg/doc/vc/crypto/crypto.go b/pkg/doc/vc/crypto/crypto.go
@@ -13,7 +13,9 @@ import (
 
 	"github.com/piprate/json-gold/ld"
 
+	"github.com/hyperledger/aries-framework-go/component/kmscrypto/doc/jose"
 	"github.com/hyperledger/aries-framework-go/component/models/did"
+	"github.com/hyperledger/aries-framework-go/component/models/jwt"
 	ldprocessor "github.com/hyperledger/aries-framework-go/component/models/ld/processor"
 	ariessigner "github.com/hyperledger/aries-framework-go/component/models/signature/signer"
 	"github.com/hyperledger/aries-framework-go/component/models/signature/suite"
@@ -168,6 +170,35 @@ func (c *Crypto) SignCredential(
 	}
 }
 
+// NewJWTSigned returns JWT signed claims.
+func (c *Crypto) NewJWTSigned(claims interface{}, signerData *vc.Signer) (string, error) {
+	jwsAlgo, err := verifiable.KeyTypeToJWSAlgo(signerData.KeyType)
+	if err != nil {
+		return "", fmt.Errorf("getting JWS algo based on signature type: %w", err)
+	}
+
+	jwtAlgoStr, err := jwsAlgo.Name()
+	if err != nil {
+		return "", fmt.Errorf("get jwt algo name: %w", err)
+	}
+
+	signer, _, err := c.getSigner(signerData.KMSKeyID, signerData.KMS, signerData.SignatureType)
+	if err != nil {
+		return "", err
+	}
+
+	headers := map[string]interface{}{
+		jose.HeaderKeyID: signerData.Creator,
+	}
+
+	token, err := jwt.NewSigned(claims, headers, verifiable.GetJWTSigner(signer, jwtAlgoStr))
+	if err != nil {
+		return "", fmt.Errorf("newSigned: %w", err)
+	}
+
+	return token.Serialize(false)
+}
+
 // signCredentialLDP adds verifiable.LinkedDataProofContext to the VC.
 func (c *Crypto) signCredentialLDP(
 	signerData *vc.Signer, vc *verifiable.Credential, opts ...SigningOpts) (*verifiable.Credential, error) {

diff --git a/pkg/doc/vc/crypto/crypto_test.go b/pkg/doc/vc/crypto/crypto_test.go
@@ -33,6 +33,7 @@ import (
 	vdrmock "github.com/hyperledger/aries-framework-go/component/vdr/mock"
 	ariescrypto "github.com/hyperledger/aries-framework-go/spi/crypto"
 	"github.com/hyperledger/aries-framework-go/spi/kms"
+	"github.com/piprate/json-gold/ld"
 	"github.com/stretchr/testify/require"
 
 	"github.com/trustbloc/vcs/pkg/doc/vc"
@@ -819,6 +820,7 @@ func getTestLDPSigner() *vc.Signer {
 		SignatureType: "Ed25519Signature2018",
 		Creator:       "did:trustbloc:abc#key1",
 		KMSKeyID:      "key1",
+		KeyType:       kms.ED25519,
 		KMS: &mockVCSKeyManager{
 			crypto: &cryptomock.Crypto{},
 			kms:    &mockkms.KeyManager{},
@@ -881,12 +883,17 @@ func createKMS(t *testing.T) *localkms.LocalKMS {
 }
 
 type mockVCSKeyManager struct {
+	err    error
 	crypto ariescrypto.Crypto
 	kms    kms.KeyManager
 }
 
 func (m *mockVCSKeyManager) NewVCSigner(creator string,
 	signatureType vcsverifiable.SignatureType) (vc.SignerAlgorithm, error) {
+	if m.err != nil {
+		return nil, m.err
+	}
+
 	return signer.NewKMSSigner(m.kms, m.crypto, creator, signatureType, nil)
 }
 
@@ -938,3 +945,114 @@ func createDIDDoc(didID string, opts ...opt) *did.Doc {
 		CapabilityDelegation: []did.Verification{{VerificationMethod: signingKey}},
 	}
 }
+
+func TestCrypto_NewJWTSigned(t *testing.T) {
+	testClaims := map[string]interface{}{
+		"key": "value",
+	}
+
+	type fields struct {
+		vdr            vdrapi.Registry
+		documentLoader ld.DocumentLoader
+	}
+	type args struct {
+		getClaims     func() interface{}
+		getSignerData func() *vc.Signer
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "Success",
+			fields: fields{
+				vdr:            &vdrmock.VDRegistry{ResolveValue: createDIDDoc("did:trustbloc:abc")},
+				documentLoader: testutil.DocumentLoader(t),
+			},
+			args: args{
+				getClaims: func() interface{} {
+					return testClaims
+				},
+				getSignerData: getTestLDPSigner,
+			},
+			want:    "eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp0cnVzdGJsb2M6YWJjI2tleTEifQ.eyJrZXkiOiJ2YWx1ZSJ9.",
+			wantErr: false,
+		},
+		{
+			name: "Error KeyTypeToJWSAlgo",
+			fields: fields{
+				vdr:            &vdrmock.VDRegistry{ResolveValue: createDIDDoc("did:trustbloc:abc")},
+				documentLoader: testutil.DocumentLoader(t),
+			},
+			args: args{
+				getClaims: func() interface{} {
+					return testClaims
+				},
+				getSignerData: func() *vc.Signer {
+					s := getTestLDPSigner()
+					s.KeyType = ""
+
+					return s
+				},
+			},
+			want:    "",
+			wantErr: true,
+		},
+		{
+			name: "Error getSigner",
+			fields: fields{
+				vdr:            &vdrmock.VDRegistry{ResolveValue: createDIDDoc("did:trustbloc:abc")},
+				documentLoader: testutil.DocumentLoader(t),
+			},
+			args: args{
+				getClaims: func() interface{} {
+					return testClaims
+				},
+				getSignerData: func() *vc.Signer {
+					s := getTestLDPSigner()
+					s.KMS = &mockVCSKeyManager{
+						err: errors.New("some error"),
+					}
+
+					return s
+				},
+			},
+			want:    "",
+			wantErr: true,
+		},
+		{
+			name: "Error NewSigned",
+			fields: fields{
+				vdr:            &vdrmock.VDRegistry{ResolveValue: createDIDDoc("did:trustbloc:abc")},
+				documentLoader: testutil.DocumentLoader(t),
+			},
+			args: args{
+				getClaims: func() interface{} {
+					return func() {}
+				},
+				getSignerData: getTestLDPSigner,
+			},
+			want:    "",
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Crypto{
+				vdr:            tt.fields.vdr,
+				documentLoader: tt.fields.documentLoader,
+			}
+			got, err := c.NewJWTSigned(tt.args.getClaims(), tt.args.getSignerData())
+			if (err != nil) != tt.wantErr {
+				t.Errorf("NewJWTSigned() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("NewJWTSigned() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/pkg/profile/api.go b/pkg/profile/api.go
@@ -108,6 +108,7 @@ type OIDCConfig struct {
 	InitialAccessTokenLifespan                 time.Duration `json:"initial_access_token_lifespan"`
 	PreAuthorizedGrantAnonymousAccessSupported bool          `json:"pre-authorized_grant_anonymous_access_supported"`
 	WalletInitiatedAuthFlowSupported           bool          `json:"wallet_initiated_auth_flow_supported"`
+	SignedCredentialOfferSupported             bool          `json:"signed_credential_offer_supported"`
 	ClaimsEndpoint                             string        `json:"claims_endpoint"`
 }