Add information about X509Certificates

README.md

@@ -9,6 +9,7 @@ the [EUDI Wallet Reference Implementation project description](https://github.co
 
 * [Overview](#overview)
 * [Disclaimer](#disclaimer)
+* [Installation](#installation)
 * [Use cases supported](#use-cases-supported)
 * [Configuration options](#configuration-options)
 * [Other features](#other-features)
@@ -60,6 +61,27 @@ The released software is an initial development release version:
 -  We strongly recommend to not put this version of the software into production use.
 -  Only the latest version of the software will be supported
 
+## Installation
+
+To include the library in your project, add the following dependency in `build.gradle.kts` :
+
+```kotlin
+dependencies {
+    implementation("eu.europa.ec.eudi:eudi-lib-jvm-openid4vci-kt:${version}")
+}
+```
+
+> [!IMPORTANT]  
+> In case you require support for `X509Certificates`, the Bouncy Castle Java Security Provider must be present in the classpath of your project.
+> 
+> You are advised to include the following dependency in `build.gradle.kts`:
+> 
+> ```kotlin
+> dependencies {
+>     implementation("org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}")
+> }
+> ```
+
 ## Use cases supported
 
 ### Wallet-initiated issuance

build.gradle.kts

@@ -45,6 +45,7 @@ dependencies {
     testImplementation(libs.logback.classic)
     testImplementation(libs.cbor)
     testImplementation(libs.tink)
+    testImplementation(libs.bouncycastle.pkix)
 }
 
 java {

gradle/libs.versions.toml

@@ -14,6 +14,7 @@ maven-publish = "0.34.0"
 logback = "1.5.18"
 kover = "0.9.1"
 tink = "1.17.0"
+bouncycastle = "1.83"
 
 [libraries]
 nimbus-oauth2-oidc-sdk = { module = "com.nimbusds:oauth2-oidc-sdk", version.ref = "nimbus-sdk" }
@@ -26,11 +27,12 @@ ktor-client-okhttp = { module = "io.ktor:ktor-client-okhttp", version.ref = "kto
 ktor-server-test-host = { module = "io.ktor:ktor-server-test-host", version.ref = "ktor" }
 ktor-server-content-negotiation = { module = "io.ktor:ktor-server-content-negotiation", version.ref = "ktor" }
 ktor-client-mock = { module = "io.ktor:ktor-client-mock", version.ref = "ktor" }
-ktor-client-logging = {module ="io.ktor:ktor-client-logging", version.ref="ktor"}
+ktor-client-logging = { module = "io.ktor:ktor-client-logging", version.ref = "ktor" }
 jsoup = { module = "org.jsoup:jsoup", version.ref = "jsoup" }
 cbor = { module = "co.nstant.in:cbor", version.ref = "cbor" }
-logback-classic = {module="ch.qos.logback:logback-classic", version.ref="logback"}
+logback-classic = { module = "ch.qos.logback:logback-classic", version.ref = "logback" }
 tink = { module = "com.google.crypto.tink:tink", version.ref = "tink" }
+bouncycastle-pkix = { module = "org.bouncycastle:bcpkix-jdk18on", version.ref = "bouncycastle" }
 
 [plugins]
 dependency-check = { id = "org.owasp.dependencycheck", version.ref = "dependency-check" }
@@ -39,4 +41,4 @@ kotlin-jvm = { id = "org.jetbrains.kotlin.jvm", version.ref = "kotlin" }
 kotlin-serialization = { id = "org.jetbrains.kotlin.plugin.serialization", version.ref = "kotlin" }
 spotless = { id = "com.diffplug.spotless", version.ref = "spotless" }
 dokka = { id = "org.jetbrains.dokka", version.ref = "dokka" }
-maven-publish = { id = "com.vanniktech.maven.publish", version.ref="maven-publish" }
+maven-publish = { id = "com.vanniktech.maven.publish", version.ref = "maven-publish" }

src/main/kotlin/eu/europa/ec/eudi/openid4vci/Types.kt

@@ -367,6 +367,7 @@ fun interface CertificateChainTrust {
  */
 sealed interface IssuerTrust {
 
+    @Deprecated("Use IssuerTrust.ByCertificateChain instead")
     data class ByPublicKey(val jwk: JWK) : IssuerTrust {
         init {
             require(!jwk.isPrivate) { "Only public JWKs are supported" }

src/test/kotlin/eu/europa/ec/eudi/openid4vci/DefaultCredentialIssuerMetadataResolverTest.kt

@@ -347,6 +347,20 @@ internal class DefaultCredentialIssuerMetadataResolverTest {
         id = CredentialIssuerId("https://issuer.example.com/tenant").getOrThrow()
         assertEquals("https://issuer.example.com/.well-known/openid-credential-issuer/tenant", id.wellKnown().toString())
     }
+
+    @Test
+    internal fun `resolution succeeds for signed metadata that use x5c`() = runTest {
+        val credentialIssuerId = CredentialIssuerId("https://dev.issuer-backend.eudiw.dev").getOrThrow()
+        val resolver = resolver(
+            credentialIssuerMetaDataHandler(
+                credentialIssuerId,
+                "eu/europa/ec/eudi/openid4vci/internal/openid-credential-issuer-signed-metadata-x5c.jwt",
+                listOf("application/jwt"),
+            ),
+        )
+        val policy = IssuerMetadataPolicy.RequireSigned(IssuerTrust.ByCertificateChain { true })
+        assertDoesNotThrow { resolver.resolve(credentialIssuerId, policy).getOrThrow() }
+    }
 }
 
 private fun Map<CredentialConfigurationIdentifier, CredentialConfiguration>.jwtProofTypeSupported(