Add an option for a Wallet to configure supported Proof types

Author: dzarras

README.md

@@ -578,6 +578,7 @@ data class OpenId4VCIConfig(
     val parUsage: ParUsage = ParUsage.IfSupported,
     val clock: Clock = Clock.systemDefaultZone(),
     val issuerMetadataPolicy: IssuerMetadataPolicy = IssuerMetadataPolicy.IgnoreSigned,
+    val proofs: ProofsConfig, 
 )
 ```
 
@@ -597,6 +598,7 @@ Options available:
   - `IssuerMetadataPolicy.RequireSigned`: require the presence of signed metadata and use only values from signed metadata
   - `IssuerMetadataPolicy.PreferSigned`: presence of signed metadata is optional, if present values from signed metadata take precedence
   - `IssuerMetadataPolicy.IgnoreSigned`: signed metadata are ignored
+- proofs: Proofs types supported by the Wallet. Wallet can choose whether to support non-device-bound attestations, and device-bound attestations alongside the supported proof types. 
 
 Trust between the Wallet and the Signer of the signed metadata advertised by the Credential Issuer is established using one of the following ways:
 - `IssuerTrust.ByPublicKey`: trusting the public key used to sign the metadata

src/main/kotlin/eu/europa/ec/eudi/openid4vci/Config.kt

@@ -18,6 +18,7 @@ package eu.europa.ec.eudi.openid4vci
 import com.nimbusds.jose.CompressionAlgorithm
 import com.nimbusds.jose.EncryptionMethod
 import com.nimbusds.jose.JWEAlgorithm
+import com.nimbusds.jose.JWSAlgorithm
 import com.nimbusds.jose.crypto.ECDHEncrypter
 import com.nimbusds.jose.crypto.RSAEncrypter
 import com.nimbusds.jose.crypto.impl.ContentCryptoProvider
@@ -73,6 +74,7 @@ sealed interface ClientAuthentication : java.io.Serializable {
  * @param parUsage whether to use PAR in case of authorization code grant
  * @param clock Wallet's clock
  * @param issuerMetadataPolicy policy concerning signed metadata usage
+ * @param proofs proofs supported by the Wallet
  */
 data class OpenId4VCIConfig(
     val clientAuthentication: ClientAuthentication,
@@ -84,11 +86,14 @@ data class OpenId4VCIConfig(
     val parUsage: ParUsage = ParUsage.IfSupported,
     val clock: Clock = Clock.systemDefaultZone(),
     val issuerMetadataPolicy: IssuerMetadataPolicy = IssuerMetadataPolicy.IgnoreSigned,
+    val proofs: ProofsConfig,
 ) {
 
     /**
-     * Creates a new [OpenId4VCIConfig] instance for a Wallet that uses [a Public OAuth 2.0 Client][ClientAuthentication.None].
+     * Creates a new [OpenId4VCIConfig] instance for a Wallet that uses [a Public OAuth 2.0 Client][ClientAuthentication.None], and all
+     * [Proof Types][ProofsConfig].
      */
+    @Deprecated(message = "Replace with the primary constructor")
     constructor(
         clientId: ClientId,
         authFlowRedirectionURI: URI,
@@ -109,12 +114,13 @@ data class OpenId4VCIConfig(
         parUsage,
         clock,
         issuerMetadataPolicy,
+        ProofsConfig.All,
     )
 
     /**
-     * Creates a new [OpenId4VCIConfig] instance for a Wallet.
+     * Creates a new [OpenId4VCIConfig] instance for a Wallet that supports all [Proof Types][ProofsConfig].
      */
-    @Deprecated(message = "Replace with the constructor that uses DPoPUsage.")
+    @Deprecated(message = "Replace with the primary constructor")
     constructor (
         clientAuthentication: ClientAuthentication,
         authFlowRedirectionURI: URI,
@@ -135,12 +141,14 @@ data class OpenId4VCIConfig(
         parUsage,
         clock,
         issuerMetadataPolicy,
+        ProofsConfig.All,
     )
 
     /**
-     * Creates a new [OpenId4VCIConfig] instance for a Wallet that uses [a Public OAuth 2.0 Client][ClientAuthentication.None].
+     * Creates a new [OpenId4VCIConfig] instance for a Wallet that uses [a Public OAuth 2.0 Client][ClientAuthentication.None], and
+     * supports all [Proof Types][ProofsConfig].
      */
-    @Deprecated(message = "Replace with the constructor that uses DPoPUsage.")
+    @Deprecated(message = "Replace with the primary constructor")
     constructor(
         clientId: ClientId,
         authFlowRedirectionURI: URI,
@@ -161,6 +169,7 @@ data class OpenId4VCIConfig(
         parUsage,
         clock,
         issuerMetadataPolicy,
+        ProofsConfig.All,
     )
 
     @Deprecated(
@@ -320,3 +329,53 @@ sealed interface IssuerMetadataPolicy {
      */
     data object IgnoreSigned : IssuerMetadataPolicy
 }
+
+/**
+ * Wallet supported Proofs.
+ *
+ * A Wallet has to configure whether it supports non-device-bound attestations, as well as the Proofs supported for device-bound attestations.
+ *
+ * @property supportsDeviceBound Whether the Wallet supports non-device-bound attestations.
+ * @property deviceBound Whether the Wallet supports device-bound attestations, and the Proofs it supports.
+ */
+data class ProofsConfig(
+    val supportsNonDeviceBound: Boolean,
+    val deviceBound: DeviceBound?,
+) {
+    val supportsDeviceBound: Boolean
+        get() = null != deviceBound
+
+    companion object {
+        val All: ProofsConfig = ProofsConfig(
+            supportsNonDeviceBound = true,
+            deviceBound = DeviceBound(null, DeviceBound.Proof.entries.toSet()),
+        )
+
+        val None: ProofsConfig = ProofsConfig(
+            supportsNonDeviceBound = false,
+            deviceBound = null,
+        )
+    }
+
+    /**
+     * The Proofs a Wallet supports for device-bound attestations.
+     *
+     * @property algorithms The JWS Algorithms the Wallet supports for device-bound attestations. Set to *null* if the Wallet supports all algorithms.
+     * @property proofs The Proofs the Wallet supports for device-bound attestations.
+     */
+    data class DeviceBound(
+        val algorithms: Set<JWSAlgorithm>?,
+        val proofs: Set<Proof>,
+    ) {
+        init {
+            require(null == algorithms || algorithms.isNotEmpty()) { "At least one algorithm must be supported" }
+            require(proofs.isNotEmpty()) { "At least one proof must be supported" }
+        }
+
+        enum class Proof {
+            JwtProofWithoutKeyAttestation,
+            JwtProofWithKeyAttestation,
+            AttestationProof,
+        }
+    }
+}

src/main/kotlin/eu/europa/ec/eudi/openid4vci/internal/RequestIssuanceImpl.kt

@@ -104,7 +104,9 @@ internal class RequestIssuanceImpl(
         credentialConfigId: CredentialConfigurationIdentifier,
         grant: Grant,
     ): Pair<List<Proof>, Nonce?> {
-        proofsSpecification.ensureCompatibleWith(credentialConfigId)
+        val credentialConfiguration = credentialSupportedById(credentialConfigId)
+        config.proofs.ensureCompatibleWith(credentialConfiguration.proofTypesSupported)
+        proofsSpecification.ensureCompatibleWith(credentialConfiguration)
 
         return when (proofsSpecification) {
             is ProofsSpecification.NoProofs -> emptyList<Proof>() to null
@@ -147,8 +149,7 @@ internal class RequestIssuanceImpl(
         }
     }
 
-    private fun ProofsSpecification.ensureCompatibleWith(credentialConfigId: CredentialConfigurationIdentifier) {
-        val credentialConfiguration = credentialSupportedById(credentialConfigId)
+    private fun ProofsSpecification.ensureCompatibleWith(credentialConfiguration: CredentialConfiguration) {
         val proofTypesSupported = credentialConfiguration.proofTypesSupported
 
         when (this) {
@@ -181,9 +182,11 @@ internal class RequestIssuanceImpl(
             }
 
             is ProofsSpecification.AttestationProof -> {
-                requireNotNull(proofTypesSupported[ProofType.ATTESTATION]) {
+                val proofRequirement = proofTypesSupported[ProofType.ATTESTATION]
+                requireNotNull(proofRequirement) {
                     "Credential configuration doesn't support attestation proofs."
                 }
+                check(proofRequirement is ProofTypeMeta.Attestation)
             }
         }
     }
@@ -404,3 +407,39 @@ internal sealed interface SubmissionOutcomeInternal {
             is Failed -> SubmissionOutcome.Failed(error)
         }
 }
+
+private fun ProofsConfig.ensureCompatibleWith(supportedProofTypes: ProofTypesSupported) {
+    when (supportedProofTypes) {
+        ProofTypesSupported.Empty -> {
+            require(supportsNonDeviceBound) { "Wallet doesn't support non-device-bound attestations" }
+        }
+
+        else -> {
+            val deviceBoundConfig = requireNotNull(deviceBound) { "Wallet doesn't support device-bound attestations" }
+
+            val supportsJwtProofs = supportedProofTypes[ProofType.JWT]?.let { jwtProof ->
+                check(jwtProof is ProofTypeMeta.Jwt)
+                val supportsAnySigningAlgorithm =
+                    if (null == deviceBoundConfig.algorithms) true
+                    else jwtProof.algorithms.any { it in deviceBoundConfig.algorithms }
+                val proofType = when (jwtProof.keyAttestationRequirement) {
+                    KeyAttestationRequirement.NotRequired -> ProofsConfig.DeviceBound.Proof.JwtProofWithoutKeyAttestation
+                    is KeyAttestationRequirement.Required -> ProofsConfig.DeviceBound.Proof.JwtProofWithKeyAttestation
+                }
+                val supportsProofType = proofType in deviceBoundConfig.proofs
+                supportsAnySigningAlgorithm && supportsProofType
+            } ?: false
+
+            val supportsAttestationProofs = supportedProofTypes[ProofType.ATTESTATION]?.let { attestationProof ->
+                check(attestationProof is ProofTypeMeta.Attestation)
+                val supportsAnySigningAlgorithm =
+                    if (null == deviceBoundConfig.algorithms) true
+                    else attestationProof.algorithms.any { it in deviceBoundConfig.algorithms }
+                val supportsProofType = ProofsConfig.DeviceBound.Proof.AttestationProof in deviceBoundConfig.proofs
+                supportsAnySigningAlgorithm && supportsProofType
+            } ?: false
+
+            require(supportsJwtProofs || supportsAttestationProofs) { "Wallet doesn't support any of the advertised Proofs" }
+        }
+    }
+}

src/test/kotlin/eu/europa/ec/eudi/openid4vci/IssuanceSingleRequestTest.kt

@@ -15,6 +15,7 @@
  */
 package eu.europa.ec.eudi.openid4vci
 
+import com.nimbusds.jose.JWSAlgorithm
 import com.nimbusds.jose.JWSObject
 import com.nimbusds.jose.jwk.Curve
 import com.nimbusds.jose.jwk.gen.ECKeyGenerator
@@ -995,4 +996,141 @@ class IssuanceSingleRequestTest {
                 authorizedRequest.request(requestPayload, attestationProofSpec()).getOrThrow()
             }
         }
+
+    @Test
+    fun `when wallet does not support non device bound attestation, issuance fails`() =
+        runTest {
+            val mockedHttpClient = mockedHttpClient(
+                credentialIssuerMetadataWellKnownMocker(),
+                authServerWellKnownMocker(),
+                parPostMocker(),
+                tokenPostMocker(),
+            )
+            val (authorizedRequest, issuer) = authorizeRequestForCredentialOffer(
+                config = OpenId4VCIConfiguration.copy(proofs = ProofsConfig.None),
+                credentialOfferStr = CredentialOfferWithMDLMdoc_NO_GRANTS,
+                httpClient = mockedHttpClient,
+            )
+
+            val credentialConfigurationId = issuer.credentialOffer.credentialConfigurationIdentifiers[0]
+            with(issuer) {
+                val requestPayload = IssuanceRequestPayload.ConfigurationBased(credentialConfigurationId)
+                val exception = assertFailsWith<IllegalArgumentException> {
+                    authorizedRequest.request(requestPayload, ProofsSpecification.NoProofs).getOrThrow()
+                }
+                assertEquals("Wallet doesn't support non-device-bound attestations", exception.message)
+            }
+        }
+
+    @Test
+    fun `when wallet does not support device bound attestation, issuance fails`() =
+        runTest {
+            val mockedHttpClient = mockedHttpClient(
+                credentialIssuerMetadataWellKnownMocker(),
+                authServerWellKnownMocker(),
+                parPostMocker(),
+                tokenPostMocker(),
+            )
+            val (authorizedRequest, issuer) = authorizeRequestForCredentialOffer(
+                config = OpenId4VCIConfiguration.copy(proofs = ProofsConfig.None),
+                credentialOfferStr = CredentialOfferWithSdJwtVc_NO_GRANTS,
+                httpClient = mockedHttpClient,
+            )
+
+            val credentialConfigurationId = issuer.credentialOffer.credentialConfigurationIdentifiers[0]
+            with(issuer) {
+                val requestPayload = IssuanceRequestPayload.ConfigurationBased(credentialConfigurationId)
+                val exception = assertFailsWith<IllegalArgumentException> {
+                    authorizedRequest.request(requestPayload, noKeyAttestationJwtProofsSpec()).getOrThrow()
+                }
+                assertEquals("Wallet doesn't support device-bound attestations", exception.message)
+            }
+        }
+
+    @Test
+    fun `when wallet does supports device bound attestation, but none of the advertised algorithms, issuance fails`() =
+        runTest {
+            val mockedHttpClient = mockedHttpClient(
+                credentialIssuerMetadataWellKnownMocker(),
+                authServerWellKnownMocker(),
+                parPostMocker(),
+                tokenPostMocker(),
+            )
+            val (authorizedRequest, issuer) = authorizeRequestForCredentialOffer(
+                config = OpenId4VCIConfiguration.copy(
+                    proofs = ProofsConfig(
+                        supportsNonDeviceBound = false,
+                        deviceBound = ProofsConfig.DeviceBound(
+                            algorithms = setOf(
+                                JWSAlgorithm.ES512,
+                            ),
+                            proofs = setOf(ProofsConfig.DeviceBound.Proof.JwtProofWithoutKeyAttestation),
+                        ),
+                    ),
+                ),
+                credentialOfferStr = CredentialOfferWithSdJwtVc_NO_GRANTS,
+                httpClient = mockedHttpClient,
+            )
+
+            val credentialConfigurationId = issuer.credentialOffer.credentialConfigurationIdentifiers[0]
+            with(issuer) {
+                val requestPayload = IssuanceRequestPayload.ConfigurationBased(credentialConfigurationId)
+                val exception = assertFailsWith<IllegalArgumentException> {
+                    authorizedRequest.request(requestPayload, noKeyAttestationJwtProofsSpec()).getOrThrow()
+                }
+                assertEquals("Wallet doesn't support any of the advertised Proofs", exception.message)
+            }
+        }
+
+    @Test
+    fun `when wallet does not support the required device bound attestation proof, issuance fails`() =
+        runTest {
+            suspend fun test(
+                supportedProofType: ProofsConfig.DeviceBound.Proof,
+                credentialOffer: String,
+                proofsSpecification: ProofsSpecification,
+            ) {
+                val mockedHttpClient = mockedHttpClient(
+                    credentialIssuerMetadataWellKnownMocker(IssuerMetadataVersion.ATTESTATION_PROOF_SUPPORTED),
+                    authServerWellKnownMocker(),
+                    parPostMocker(),
+                    tokenPostMocker(),
+                )
+                val (authorizedRequest, issuer) = authorizeRequestForCredentialOffer(
+                    config = OpenId4VCIConfiguration.copy(
+                        proofs = ProofsConfig(
+                            supportsNonDeviceBound = false,
+                            deviceBound = ProofsConfig.DeviceBound(
+                                algorithms = null,
+                                proofs = setOf(supportedProofType),
+                            ),
+                        ),
+                    ),
+                    credentialOfferStr = credentialOffer,
+                    httpClient = mockedHttpClient,
+                )
+
+                val credentialConfigurationId = issuer.credentialOffer.credentialConfigurationIdentifiers[0]
+                with(issuer) {
+                    val requestPayload = IssuanceRequestPayload.ConfigurationBased(credentialConfigurationId)
+                    val exception = assertFailsWith<IllegalArgumentException> {
+                        authorizedRequest.request(requestPayload, proofsSpecification).getOrThrow()
+                    }
+                    assertEquals("Wallet doesn't support any of the advertised Proofs", exception.message)
+                }
+            }
+
+            // Wallet supports Jwt Proofs without Key Attestations, but Credential Issuer requires Jwt Proofs with Key Attestations
+            test(
+                ProofsConfig.DeviceBound.Proof.JwtProofWithoutKeyAttestation,
+                CredentialOfferWithSdJwtVc_NO_GRANTS,
+                noKeyAttestationJwtProofsSpec(),
+            )
+
+            // Wallet supports Jwt Proofs with Key Attestations, but Credential Issuer requires Jwt Proofs without Key Attestations
+            test(ProofsConfig.DeviceBound.Proof.JwtProofWithKeyAttestation, CredentialOfferMsoMdoc_NO_GRANTS, keyAttestationJwtProofsSpec())
+
+            // Wallet supports Attestation Proofs, but Credential Issuer requires Jwt Proofs without Key Attestations
+            test(ProofsConfig.DeviceBound.Proof.AttestationProof, CredentialOfferMsoMdoc_NO_GRANTS, attestationProofSpec())
+        }
 }

src/test/kotlin/eu/europa/ec/eudi/openid4vci/TestUtils.kt

@@ -89,6 +89,7 @@ val OpenId4VCIConfiguration = OpenId4VCIConfig(
     authFlowRedirectionURI = URI.create("eudi-wallet//auth"),
     encryptionSupportConfig = EncryptionSupportConfig(Curve.P_256, 2048, CredentialResponseEncryptionPolicy.SUPPORTED),
     dPoPUsage = DPoPUsage.Never,
+    proofs = ProofsConfig.All,
 )
 
 val OpenId4VCIConfigurationWithDpopSigner = OpenId4VCIConfig(
@@ -101,6 +102,7 @@ val OpenId4VCIConfigurationWithDpopSigner = OpenId4VCIConfig(
             alg = JWSAlgorithm.ES256,
         ),
     ),
+    proofs = ProofsConfig.All,
 )
 
 suspend fun authorizeRequestForCredentialOffer(

src/test/kotlin/eu/europa/ec/eudi/openid4vci/examples/OfferBasedIssuanceUsingPreAuthorizationFlow.kt

@@ -28,6 +28,7 @@ fun main(): Unit = runBlocking {
         authFlowRedirectionURI = URI.create("urn:ietf:wg:oauth:2.0:oob"),
         encryptionSupportConfig = EncryptionSupportConfig(Curve.P_256, 2048, CredentialResponseEncryptionPolicy.SUPPORTED),
         dPoPUsage = DPoPUsage.Never,
+        proofs = ProofsConfig.All,
     )
     val credentialOfferUrl =
         "openid-credential-offer://?credential_offer_uri=https%3A%2F%2Ftrial.authlete.net" +

src/test/kotlin/eu/europa/ec/eudi/openid4vci/examples/PidDevIssuer.kt

@@ -39,6 +39,7 @@ internal object PidDevIssuer :
         authorizeIssuanceConfig = AuthorizeIssuanceConfig.FAVOR_SCOPES,
         dPoPUsage = DPoPUsage.Required(CryptoGenerator.ecSigner()),
         parUsage = ParUsage.Required,
+        proofs = ProofsConfig.All,
     )
 
     val PID_SdJwtVC_config_id = CredentialConfigurationIdentifier("eu.europa.ec.eudi.pid_vc_sd_jwt")