Merge pull request #110 from niscy-eudiw/feature/client-attestation-updates

Client attestation updates

Author: dtsiflit

Sources/Main/AttestationBasedClient/ClientAttestation.swift

@@ -37,12 +37,6 @@ public struct ClientAttestationJWT {
     }
     self.payload = JSON(jsonObject)
 
-    /*
-    guard payload[JWTClaimNames.subject].string != nil else {
-      throw ClientAttestationError.missingSubject
-    }
-     */
-    
     guard let cnf = payload[JWTClaimNames.cnf].dictionary else {
       throw ClientAttestationError.missingCnfClaim
     }

Sources/Main/AttestationBasedClient/ClientAttestationPoPBuilder.swift

@@ -48,22 +48,22 @@ public struct DefaultClientAttestationPoPBuilder: ClientAttestationPoPBuilder {
     clock: ClockType,
     authServerId: URL
   ) throws -> ClientAttestationPoPJWT {
-    
     switch client {
     case .attested(let attestationJWT, let popJwtSpec):
-      let now = Date()
-      let exp = now.addingTimeInterval(popJwtSpec.duration)
-      let jws = try JWS.init(
+      let now = Date().timeIntervalSince1970
+      let exp = Date().addingTimeInterval(popJwtSpec.duration).timeIntervalSince1970
+      let jws: JWS = try .init(
         header: try .init(parameters: [
           JWTClaimNames.algorithm: popJwtSpec.signingAlgorithm.rawValue,
           JWTClaimNames.type: popJwtSpec.typ
         ]),
         payload: .init(JSON([
           JWTClaimNames.issuer: attestationJWT.clientId,
-          JWTClaimNames.jwtId: UUID().uuidString,
+          JWTClaimNames.jwtId: String.randomBase64URLString(length: 20),
           JWTClaimNames.expirationTime: exp,
           JWTClaimNames.issuedAt: now,
-          JWTClaimNames.audience: authServerId.absoluteString
+          JWTClaimNames.audience: authServerId.absoluteString,
+          JWTClaimNames.cnf: attestationJWT.cnf
         ]).rawData()),
         signer: popJwtSpec.jwsSigner
       )

Sources/Main/AttestationBasedClient/ClientAttestationPoPJWTSpec.swift

@@ -35,15 +35,15 @@ public struct ClientAttestationPoPJWTSpec {
 
   public let signingAlgorithm: SignatureAlgorithm
   public let duration: TimeInterval
-  public let typ: String?
+  public let typ: String
   public let jwsSigner: Signer
 
   // MARK: - Initializer
 
   public init(
     signingAlgorithm: SignatureAlgorithm,
     duration: TimeInterval = 300, // Default to 5 minutes
-    typ: String? = nil,
+    typ: String,
     jwsSigner: Signer
   ) throws {
     // Validate the signing algorithm (must not be MAC)

Tests/Helpers/SelfSignedClientAttestation.swift

@@ -36,11 +36,15 @@ internal func selfSignedClient(
     algorithm: algorithm
   )
 
+  let duration: TimeInterval = 300
+  let now = Date().timeIntervalSince1970
+  let exp = Date().addingTimeInterval(duration).timeIntervalSince1970
   let payload: Payload = try! .init([
     "iss": clientId,
-    "clientId": clientId,
+    "aud": clientId,
     "sub": clientId,
-    "exp": 1800000000,
+    "iat": now,
+    "exp": exp,
     "cnf": [
       "jwk": ECPublicKey(
         publicKey: try! KeyController.generateECDHPublicKey(
@@ -65,6 +69,8 @@ internal func selfSignedClient(
     ),
     popJwtSpec: .init(
       signingAlgorithm: algorithm,
+      duration: duration,
+      typ: "oauth-client-attestation-pop+jwt",
       jwsSigner: signer
     )
   )