Migrate to multipaz 0.95 KeyUnlockDataProvider API

- Update multipaz dependency to 0.95
- Add KeyUnlockDataProviderExtensions for wrapping KeyUnlockData
- Update ProcessedDCPAPIRequest for response generation
- Update OpenId4VpUtils for coroutine context handling
- Update SecureAreaWalletKeyManager for API changes
- Update MsoMdocParser for multipaz 0.95 compatibility

Author: leoScytales

gradle/libs.versions.toml

@@ -10,8 +10,8 @@ dependencycheck = "12.1.3"
 dokka = "1.9.20"
 espresso-contrib = "3.6.1"
 espresso-core = "3.6.1"
-eudi-document-manager = "0.13.0"
-eudi-iso18013-data-transfer = "0.10.0"
+eudi-document-manager = "0.14.0-SNAPSHOT"
+eudi-iso18013-data-transfer = "0.11.0-SNAPSHOT"
 eudi-lib-jvm-openid4vci-kt = "0.9.1"
 eudi-lib-jvm-siop-openid4vp-kt = "0.12.0"
 eudi-lib-jvm-sdjwt-kt = "0.10.0"
@@ -30,7 +30,7 @@ mockito-android = "5.18.0"
 mockito-inline = "5.2.0"
 mockito-kotlin = "5.4.0"
 mockk = "1.14.4"
-multipaz = "0.94.0"
+multipaz = "0.95.0"
 nimbus-sdk = "11.20.1"
 play-services-identity-credentials = "16.0.0-alpha05"
 robolectric = "4.15.1"

wallet-core/src/main/java/eu/europa/ec/eudi/wallet/dcapi/ProcessedDCPAPIRequest.kt

@@ -34,13 +34,13 @@ import eu.europa.ec.eudi.iso18013.transfer.response.device.ProcessedDeviceReques
 import eu.europa.ec.eudi.wallet.internal.d
 import eu.europa.ec.eudi.wallet.internal.e
 import eu.europa.ec.eudi.wallet.logging.Logger
+import kotlinx.coroutines.runBlocking
 import org.bouncycastle.util.encoders.Hex
 import org.json.JSONObject
 import org.multipaz.cbor.Cbor
 import org.multipaz.crypto.Algorithm
 import org.multipaz.util.fromBase64Url
-import org.multipaz.crypto.Crypto
-import org.multipaz.crypto.EcPublicKeyDoubleCoordinate
+import org.multipaz.crypto.Hpke
 
 /**
  * Processes a DCAPI request by generating a response based on the provided device request and credential options.
@@ -100,19 +100,24 @@ class ProcessedDCPAPIRequest(
             )
 
             // Encrypt the device response using HPKE
-            val (cipherText, encapsulatedPublicKey) = Crypto.hpkeEncrypt(
-                cipherSuite = Algorithm.HPKE_BASE_P256_SHA256_AES128GCM,
-                receiverPublicKey = recipientPublicKey,
-                plainText = deviceResponse.deviceResponseBytes,
-                aad = deviceResponse.sessionTranscriptBytes
-            )
+            val (cipherText, encapsulatedPublicKey) = runBlocking {
+                val encrypter = Hpke.getEncrypter(
+                    cipherSuite = Hpke.CipherSuite.DHKEM_P256_HKDF_SHA256_HKDF_SHA256_AES_128_GCM,
+                    receiverPublicKey = recipientPublicKey,
+                    info = deviceResponse.sessionTranscriptBytes
+                )
+                val cipherText = encrypter.encrypt(
+                    plaintext = deviceResponse.deviceResponseBytes,
+                    aad = ByteArray(0)
+                )
+                val encapsulatedPublicKey = encrypter.encapsulatedKey.toByteArray()
+                Pair(cipherText, encapsulatedPublicKey)
+            }
 
-            val enc =
-                (encapsulatedPublicKey as EcPublicKeyDoubleCoordinate).asUncompressedPointEncoding
             val encryptedResponse = CBORObject.NewArray().apply {
                 Add(DCAPI)
                 Add(CBORObject.NewMap().apply {
-                    Add(ENC, enc)
+                    Add(ENC, encapsulatedPublicKey)
                     Add(CIPHER_TEXT, cipherText)
                 })
             }.EncodeToBytes()

wallet-core/src/main/java/eu/europa/ec/eudi/wallet/internal/KeyUnlockDataProviderExtensions.kt

@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2024-2025 European Commission
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package eu.europa.ec.eudi.wallet.internal
+
+import org.multipaz.securearea.KeyLockedException
+import org.multipaz.securearea.KeyUnlockData
+import org.multipaz.securearea.KeyUnlockDataProvider
+import org.multipaz.securearea.SecureArea
+import org.multipaz.securearea.UnlockReason
+
+/**
+ * Extension function to convert a nullable [KeyUnlockData] to a [KeyUnlockDataProvider].
+ *
+ * This allows the existing API that accepts [KeyUnlockData] to work with the new
+ * multipaz 0.95 API that requires [KeyUnlockDataProvider] in coroutine context.
+ *
+ * @return A [KeyUnlockDataProvider] that returns the [KeyUnlockData] when requested,
+ *         or throws [KeyLockedException] if the data is null.
+ */
+internal fun KeyUnlockData?.asProvider(): KeyUnlockDataProvider {
+    val data = this
+    return object : KeyUnlockDataProvider {
+        override suspend fun getKeyUnlockData(
+            secureArea: SecureArea,
+            alias: String,
+            unlockReason: UnlockReason
+        ): KeyUnlockData {
+            return data ?: throw KeyLockedException("No unlock data provided")
+        }
+    }
+}

wallet-core/src/main/java/eu/europa/ec/eudi/wallet/internal/OpenId4VpUtils.kt

@@ -76,9 +76,11 @@ import eu.europa.ec.eudi.wallet.transfer.openId4vp.OpenId4VpConfig
 import eu.europa.ec.eudi.wallet.transfer.openId4vp.OpenId4VpReaderTrust
 import eu.europa.ec.eudi.wallet.transfer.openId4vp.SdJwtVcItem
 import kotlinx.coroutines.runBlocking
+import kotlinx.coroutines.withContext
 import org.multipaz.credential.SecureAreaBoundCredential
 import org.multipaz.crypto.Algorithm
 import org.multipaz.securearea.KeyUnlockData
+import org.multipaz.securearea.UnlockReason
 import java.security.MessageDigest
 import java.security.SecureRandom
 import java.util.Base64
@@ -331,17 +333,20 @@ internal suspend fun SdJwt<JwtAndClaims>.serializeWithKeyBinding(
 ): String {
     val algorithm = JWSAlgorithm.parse((signatureAlgorithm).joseAlgorithmIdentifier)
     val publicKey = credential.secureArea.getKeyInfo(credential.alias).publicKey
+    val provider = keyUnlockData.asProvider()
     val buildKbJwt = NimbusSdJwtOps.kbJwtIssuer(
         signer = object : JWSSigner {
             override fun getJCAContext(): JCAContext = JCAContext()
             override fun supportedJWSAlgorithms(): Set<JWSAlgorithm> = setOf(algorithm)
             override fun sign(header: JWSHeader, signingInput: ByteArray): Base64URL {
                 val signature = runBlocking {
-                    credential.secureArea.sign(
-                        alias = credential.alias,
-                        dataToSign = signingInput,
-                        keyUnlockData = keyUnlockData
-                    )
+                    withContext(provider) {
+                        credential.secureArea.sign(
+                            alias = credential.alias,
+                            dataToSign = signingInput,
+                            unlockReason = UnlockReason.Unspecified
+                        )
+                    }
                 }
                 return Base64URL.encode(signature.toJoseEncoded(algorithm))
             }

wallet-core/src/main/java/eu/europa/ec/eudi/wallet/provider/SecureAreaWalletKeyManager.kt

@@ -16,11 +16,14 @@
 
 package eu.europa.ec.eudi.wallet.provider
 
+import eu.europa.ec.eudi.wallet.internal.asProvider
+import kotlinx.coroutines.withContext
 import org.multipaz.crypto.Algorithm
 import org.multipaz.securearea.CreateKeySettings
 import org.multipaz.securearea.KeyInfo
 import org.multipaz.securearea.KeyUnlockData
 import org.multipaz.securearea.SecureArea
+import org.multipaz.securearea.UnlockReason
 import java.security.MessageDigest
 
 /**
@@ -72,7 +75,10 @@ open class SecureAreaWalletKeyManager(
         }
         WalletAttestationKey(keyInfo) { data ->
             val keyUnlockData = keyUnlockDataProvider(keyAlias, secureArea)
-            secureArea.sign(keyAlias, data, keyUnlockData).toDerEncoded()
+            val provider = keyUnlockData.asProvider()
+            withContext(provider) {
+                secureArea.sign(keyAlias, data, UnlockReason.Unspecified).toDerEncoded()
+            }
         }
     }
 
@@ -82,7 +88,10 @@ open class SecureAreaWalletKeyManager(
         }.map { keyInfo ->
             WalletAttestationKey(keyInfo) { data ->
                 val keyUnlockData = keyUnlockDataProvider(keyAlias, secureArea)
-                secureArea.sign(keyAlias, data, keyUnlockData).toDerEncoded()
+                val provider = keyUnlockData.asProvider()
+                withContext(provider) {
+                    secureArea.sign(keyAlias, data, UnlockReason.Unspecified).toDerEncoded()
+                }
             }
         }.getOrNull()
     }

wallet-core/src/main/java/eu/europa/ec/eudi/wallet/transactionLogging/presentation/parsing/MsoMdocParser.kt

@@ -22,6 +22,7 @@ import eu.europa.ec.eudi.wallet.transactionLogging.TransactionLog
 import eu.europa.ec.eudi.wallet.transactionLogging.presentation.PresentedClaim
 import eu.europa.ec.eudi.wallet.transactionLogging.presentation.PresentedDocument
 import eu.europa.ec.eudi.wallet.util.CBOR
+import kotlinx.coroutines.runBlocking
 import org.multipaz.mdoc.response.DeviceResponseParser
 
 /**
@@ -38,10 +39,12 @@ fun parseMsoMdoc(
     metadata: List<String>
 ): List<PresentedDocument> {
     // Parse the raw response using the DeviceResponseParser
-    val parsed = DeviceResponseParser(
-        rawResponse,
-        sessionTranscript ?: byteArrayOf(0)
-    ).parse()
+    val parsed = runBlocking {
+        DeviceResponseParser(
+            rawResponse,
+            sessionTranscript ?: byteArrayOf(0)
+        ).parse()
+    }
 
     val parsedMetadata = metadata.map { TransactionLog.Metadata.fromJson(it) }