feat: openid4vci mdoc-issuance alpha

Signed-off-by: Martin Auer <martin.auer97@gmail.com>
openwallet-foundation · Oct 25, 2024 · 0c4a093 · 0c4a093
1 parent 23a9cb6
commit 0c4a093
Show file tree

Hide file tree

Showing 15 changed files with 398 additions and 11 deletions.
diff --git a/demo-openid/src/Holder.ts b/demo-openid/src/Holder.ts
@@ -29,6 +29,12 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
     const holder = new Holder(3000, 'OpenId4VcHolder ' + Math.random().toString())
     await holder.initializeAgent('96213c3d7fc8d4d6754c7a0fd969598e')
 
+    // Set trusted issuer certificates. Required fro verifying mdoc credentials
+    const trustedCertificates: string[] = []
+    await holder.agent.x509.setTrustedCertificates(
+      trustedCertificates.length === 0 ? undefined : (trustedCertificates as [string, ...string[]])
+    )
+
     return holder
   }
 

diff --git a/demo-openid/src/Issuer.ts b/demo-openid/src/Issuer.ts
@@ -4,6 +4,7 @@ import type {
   OpenId4VcCredentialHolderDidBinding,
   OpenId4VciCredentialRequestToCredentialMapper,
   OpenId4VciCredentialSupportedWithId,
+  OpenId4VciSignMdocCredential,
   OpenId4VcIssuerRecord,
 } from '@credo-ts/openid4vc'
 
@@ -16,6 +17,10 @@ import {
   W3cCredentialSubject,
   W3cIssuer,
   w3cDate,
+  X509Service,
+  KeyType,
+  X509ModuleConfig,
+  MdocService,
 } from '@credo-ts/core'
 import { OpenId4VcIssuerModule, OpenId4VciCredentialFormatProfile } from '@credo-ts/openid4vc'
 import { ariesAskar } from '@hyperledger/aries-askar-nodejs'
@@ -42,18 +47,29 @@ export const universityDegreeCredentialSdJwt = {
   vct: 'UniversityDegreeCredential',
 } satisfies OpenId4VciCredentialSupportedWithId
 
+export const universityDegreeCredentialMdoc = {
+  id: 'UniversityDegreeCredential-mdoc',
+  format: OpenId4VciCredentialFormatProfile.MsoMdoc,
+  doctype: 'UniversityDegreeCredential',
+} satisfies OpenId4VciCredentialSupportedWithId
+
 export const credentialsSupported = [
   universityDegreeCredential,
   openBadgeCredential,
   universityDegreeCredentialSdJwt,
+  universityDegreeCredentialMdoc,
 ] satisfies OpenId4VciCredentialSupportedWithId[]
 
 function getCredentialRequestToCredentialMapper({
   issuerDidKey,
 }: {
   issuerDidKey: DidKey
 }): OpenId4VciCredentialRequestToCredentialMapper {
-  return async ({ holderBinding, credentialConfigurationIds }) => {
+  return async ({ holderBinding, credentialConfigurationIds, agentContext }) => {
+    const trustedCertificates = agentContext.dependencyManager.resolve(X509ModuleConfig).trustedCertificates
+    if (trustedCertificates?.length !== 1) {
+      throw new Error(`Expected exactly one trusted certificate. Received ${trustedCertificates?.length}.`)
+    }
     const credentialConfigurationId = credentialConfigurationIds[0]
 
     if (credentialConfigurationId === universityDegreeCredential.id) {
@@ -110,6 +126,25 @@ function getCredentialRequestToCredentialMapper({
       }
     }
 
+    if (credentialConfigurationId === universityDegreeCredentialMdoc.id) {
+      const holderKey = await agentContext.dependencyManager
+        .resolve(MdocService)
+        .getKeyFromMdocCredentialHolderBinding(agentContext, holderBinding)
+
+      return {
+        credentialSupportedId: universityDegreeCredentialMdoc.id,
+        format: ClaimFormat.MsoMdoc,
+        docType: universityDegreeCredentialMdoc.doctype,
+        issuerCertificate: trustedCertificates[0],
+        holderKey,
+        namespaces: {
+          'Leopold-Franzens-University': {
+            degree: 'bachelor',
+          },
+        },
+      } satisfies OpenId4VciSignMdocCredential
+    }
+
     throw new Error('Invalid request')
   }
 }
@@ -147,6 +182,25 @@ export class Issuer extends BaseAgent<{
   public static async build(): Promise<Issuer> {
     const issuer = new Issuer(2000, 'OpenId4VcIssuer ' + Math.random().toString())
     await issuer.initializeAgent('96213c3d7fc8d4d6754c7a0fd969598f')
+
+    const currentDate = new Date()
+    currentDate.setDate(currentDate.getDate() - 1)
+    const nextDay = new Date(currentDate)
+    nextDay.setDate(currentDate.getDate() + 2)
+
+    const selfSignedCertificate = await X509Service.createSelfSignedCertificate(issuer.agent.context, {
+      key: await issuer.agent.context.wallet.createKey({ keyType: KeyType.P256 }),
+      notBefore: currentDate,
+      notAfter: nextDay,
+      extensions: [],
+      name: 'C=DE',
+    })
+
+    const issuerCertficicate = selfSignedCertificate.toString('pem')
+    await issuer.agent.x509.setTrustedCertificates([issuerCertficicate])
+    console.log('Set the following certficate for the holder to verify mdoc credentials.')
+    console.log(issuerCertficicate)
+
     issuer.issuerRecord = await issuer.agent.modules.openId4VcIssuer.createIssuer({
       credentialsSupported,
     })

diff --git a/packages/core/src/modules/mdoc/MdocOptions.ts b/packages/core/src/modules/mdoc/MdocOptions.ts
@@ -1,4 +1,5 @@
 import type { Mdoc } from './Mdoc'
+import type { Jwk } from '../../crypto'
 import type { Key } from '../../crypto/Key'
 import type { DifPresentationExchangeDefinition } from '../dif-presentation-exchange'
 import type { ValidityInfo, MdocNameSpaces } from '@protokoll/mdoc-client'
@@ -56,3 +57,15 @@ export type MdocSignOptions = {
   issuerCertificate: string
   holderKey: Key
 }
+
+export type MdocCredentialHolderDidBinding = {
+  method: 'did'
+  didUrl: string
+}
+
+export type MdocCredentialHolderJwkBinding = {
+  method: 'jwk'
+  jwk: Jwk
+}
+
+export type MdocCredentialHolderBinding = MdocCredentialHolderDidBinding | MdocCredentialHolderJwkBinding
diff --git a/packages/core/src/modules/mdoc/MdocService.ts b/packages/core/src/modules/mdoc/MdocService.ts
@@ -3,12 +3,15 @@ import type {
   MdocDeviceResponseOpenId4VpOptions,
   MdocDeviceResponseVerifyOptions,
   MdocVerifyOptions,
+  MdocCredentialHolderBinding,
 } from './MdocOptions'
 import type { Query, QueryOptions } from '../../storage/StorageService'
 
 import { injectable } from 'tsyringe'
 
 import { AgentContext } from '../../agent'
+import { Key } from '../../crypto'
+import { DidResolverService, getKeyFromVerificationMethod, parseDid } from '../dids'
 
 import { Mdoc } from './Mdoc'
 import { MdocDeviceResponse } from './MdocDeviceResponse'
@@ -37,6 +40,29 @@ export class MdocService {
     return await mdoc.verify(agentContext, options)
   }
 
+  public async getKeyFromMdocCredentialHolderBinding(
+    agentContext: AgentContext,
+    holderBinding: MdocCredentialHolderBinding
+  ) {
+    let holderKey: Key
+    if (holderBinding.method !== 'jwk') {
+      const parsedDid = parseDid(holderBinding.didUrl)
+      if (!parsedDid.fragment) {
+        throw new Error(
+          `didUrl '${holderBinding.didUrl}' does not contain a '#'. Unable to derive key from did document`
+        )
+      }
+
+      const didResolver = agentContext.dependencyManager.resolve(DidResolverService)
+      const didDocument = await didResolver.resolveDidDocument(agentContext, holderBinding.didUrl)
+      holderKey = getKeyFromVerificationMethod(didDocument.dereferenceKey(holderBinding.didUrl, ['assertionMethod']))
+    } else {
+      holderKey = holderBinding.jwk.key
+    }
+
+    return holderKey
+  }
+
   public async createOpenId4VpDeviceResponse(agentContext: AgentContext, options: MdocDeviceResponseOpenId4VpOptions) {
     return MdocDeviceResponse.createOpenId4VpDeviceResponse(agentContext, options)
   }

diff --git a/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderService.ts b/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderService.ts
@@ -22,6 +22,7 @@ import type {
   AuthorizationDetails,
   AuthorizationDetailsJwtVcJson,
   AuthorizationDetailsJwtVcJsonLdAndLdpVc,
+  AuthorizationDetailsMsoMdoc,
   AuthorizationDetailsSdJwtVc,
   CredentialResponse,
   Jwt,
@@ -37,6 +38,8 @@ import {
   Jwk,
   JwsService,
   Logger,
+  Mdoc,
+  MdocApi,
   SdJwtVcApi,
   SignatureSuiteRegistry,
   TypedArrayEncoder,
@@ -178,6 +181,14 @@ export class OpenId4VciHolderService {
         vct: offeredCredential.vct,
         claims: offeredCredential.claims,
       } satisfies AuthorizationDetailsSdJwtVc
+    } else if (format === OpenId4VciCredentialFormatProfile.MsoMdoc) {
+      return {
+        type,
+        format,
+        locations,
+        claims: offeredCredential.claims,
+        doctype: offeredCredential.doctype,
+      } satisfies AuthorizationDetailsMsoMdoc
     } else {
       throw new CredoError(`Cannot create authorization_details. Unsupported credential format '${format}'.`)
     }
@@ -662,6 +673,7 @@ export class OpenId4VciHolderService {
         case OpenId4VciCredentialFormatProfile.JwtVcJson:
         case OpenId4VciCredentialFormatProfile.JwtVcJsonLd:
         case OpenId4VciCredentialFormatProfile.SdJwtVc:
+        case OpenId4VciCredentialFormatProfile.MsoMdoc:
           signatureAlgorithm = options.possibleProofOfPossessionSignatureAlgorithms.find((signatureAlgorithm) =>
             proofSigningAlgsSupported.includes(signatureAlgorithm)
           )
@@ -782,6 +794,24 @@ export class OpenId4VciHolderService {
       }
 
       return { credential, notificationMetadata }
+    } else if (format === OpenId4VciCredentialFormatProfile.MsoMdoc) {
+      if (typeof credentialResponse.successBody.credential !== 'string')
+        throw new CredoError(
+          `Received a credential of format ${
+            OpenId4VciCredentialFormatProfile.MsoMdoc
+          }, but the credential is not a string. ${JSON.stringify(credentialResponse.successBody.credential)}`
+        )
+
+      const mdocApi = agentContext.dependencyManager.resolve(MdocApi)
+      const mdoc = Mdoc.fromBase64Url(credentialResponse.successBody.credential)
+      const verificationResult = await mdocApi.verify(mdoc, {})
+
+      if (!verificationResult.isValid) {
+        agentContext.config.logger.error('Failed to validate credential', { verificationResult })
+        throw new CredoError(`Failed to validate mdoc credential. Results = ${verificationResult.error}`)
+      }
+
+      return { credential: mdoc, notificationMetadata }
     }
 
     throw new CredoError(`Unsupported credential format ${credentialResponse.successBody.format}`)

diff --git a/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts b/packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderServiceOptions.ts
@@ -21,12 +21,14 @@ export type OpenId4VciSupportedCredentialFormats =
   | OpenId4VciCredentialFormatProfile.JwtVcJsonLd
   | OpenId4VciCredentialFormatProfile.SdJwtVc
   | OpenId4VciCredentialFormatProfile.LdpVc
+  | OpenId4VciCredentialFormatProfile.MsoMdoc
 
 export const openId4VciSupportedCredentialFormats: OpenId4VciSupportedCredentialFormats[] = [
   OpenId4VciCredentialFormatProfile.JwtVcJson,
   OpenId4VciCredentialFormatProfile.JwtVcJsonLd,
   OpenId4VciCredentialFormatProfile.SdJwtVc,
   OpenId4VciCredentialFormatProfile.LdpVc,
+  OpenId4VciCredentialFormatProfile.MsoMdoc,
 ]
 
 export interface OpenId4VciNotificationMetadata {

diff --git a/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerService.ts b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerService.ts
@@ -6,6 +6,7 @@ import type {
   OpenId4VcIssuerMetadata,
   OpenId4VciSignSdJwtCredential,
   OpenId4VciSignW3cCredential,
+  OpenId4VciSignMdocCredential,
 } from './OpenId4VcIssuerServiceOptions'
 import type { OpenId4VcIssuanceSessionRecord } from './repository'
 import type {
@@ -47,6 +48,7 @@ import {
   KeyType,
   utils,
   W3cCredentialService,
+  MdocApi,
 } from '@credo-ts/core'
 import { VcIssuerBuilder } from '@sphereon/oid4vci-issuer'
 
@@ -499,6 +501,11 @@ export class OpenId4VcIssuerService {
           offeredCredential.format === credentialRequest.format
         ) {
           return offeredCredential.vct === credentialRequest.vct
+        } else if (
+          credentialRequest.format === OpenId4VciCredentialFormatProfile.MsoMdoc &&
+          offeredCredential.format === credentialRequest.format
+        ) {
+          return offeredCredential.doctype === credentialRequest.doctype
         }
 
         return false
@@ -518,6 +525,18 @@ export class OpenId4VcIssuerService {
     }
   }
 
+  private getMsoMdocCredentialSigningCallback = (
+    agentContext: AgentContext,
+    options: OpenId4VciSignMdocCredential
+  ): CredentialSignerCallback<DidDocument> => {
+    return async () => {
+      const mdocApi = agentContext.dependencyManager.resolve(MdocApi)
+
+      const mdoc = await mdocApi.sign(options)
+      return getSphereonVerifiableCredential(mdoc)
+    }
+  }
+
   private getW3cCredentialSigningCallback = (
     agentContext: AgentContext,
     options: OpenId4VciSignW3cCredential
@@ -712,6 +731,25 @@ export class OpenId4VcIssuerService {
           credential: { ...signOptions.payload } as unknown as CredentialIssuanceInput,
           signCallback: this.getSdJwtVcCredentialSigningCallback(agentContext, signOptions),
         }
+      } else if (signOptions.format === ClaimFormat.MsoMdoc) {
+        if (credentialRequest.format !== OpenId4VciCredentialFormatProfile.MsoMdoc) {
+          throw new CredoError(
+            `Invalid credential format. Expected '${OpenId4VciCredentialFormatProfile.MsoMdoc}', received '${credentialRequest.format}'.`
+          )
+        }
+
+        if (credentialRequest.doctype !== signOptions.docType) {
+          throw new CredoError(
+            `The types of the offered credentials do not match the types of the requested credential. Offered '${signOptions.docType}' Requested '${credentialRequest.doctype}'.`
+          )
+        }
+
+        return {
+          format: credentialRequest.format,
+          // NOTE: we don't use the credential value here as we pass the credential directly to the singer
+          credential: { ...signOptions.namespaces, docType: signOptions.docType } as unknown as CredentialIssuanceInput,
+          signCallback: this.getMsoMdocCredentialSigningCallback(agentContext, signOptions),
+        }
       } else {
         throw new CredoError(`Unsupported credential format ${signOptions.format}`)
       }

diff --git a/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerServiceOptions.ts b/packages/openid4vc/src/openid4vc-issuer/OpenId4VcIssuerServiceOptions.ts
@@ -20,6 +20,7 @@ import type {
   W3cCredential,
   SdJwtVcSignOptions,
   JwaSignatureAlgorithm,
+  MdocSignOptions,
 } from '@credo-ts/core'
 
 export interface OpenId4VciPreAuthorizedCodeFlowConfig {
@@ -139,13 +140,21 @@ export type OpenId4VciCredentialRequestToCredentialMapper = (options: {
   credentialConfigurationIds: [string, ...string[]]
 }) => Promise<OpenId4VciSignCredential> | OpenId4VciSignCredential
 
-export type OpenId4VciSignCredential = OpenId4VciSignSdJwtCredential | OpenId4VciSignW3cCredential
+export type OpenId4VciSignCredential =
+  | OpenId4VciSignSdJwtCredential
+  | OpenId4VciSignW3cCredential
+  | OpenId4VciSignMdocCredential
 
 export interface OpenId4VciSignSdJwtCredential extends SdJwtVcSignOptions {
   credentialSupportedId: string
   format: ClaimFormat.SdJwtVc | `${ClaimFormat.SdJwtVc}`
 }
 
+export interface OpenId4VciSignMdocCredential extends MdocSignOptions {
+  credentialSupportedId: string
+  format: ClaimFormat.MsoMdoc | `${ClaimFormat.MsoMdoc}`
+}
+
 export interface OpenId4VciSignW3cCredential {
   credentialSupportedId: string
   format: ClaimFormat.JwtVc | `${ClaimFormat.JwtVc}` | ClaimFormat.LdpVc | `${ClaimFormat.LdpVc}`

diff --git a/packages/openid4vc/src/openid4vc-verifier/OpenId4VcSiopVerifierService.ts b/packages/openid4vc/src/openid4vc-verifier/OpenId4VcSiopVerifierService.ts
@@ -554,6 +554,9 @@ export class OpenId4VcSiopVerifierService {
         responseTypesSupported: [ResponseType.VP_TOKEN],
         subject_syntax_types_supported: supportedDidMethods.map((m) => `did:${m}`),
         vpFormatsSupported: {
+          mso_mdoc: {
+            alg: supportedAlgs,
+          },
           jwt_vc: {
             alg: supportedAlgs,
           },