feat: More validation for OpenID credential issuers in attribute sharing (dfinity#3606)

<!-- Make sure you talk to us before submitting changes. See
CONTRIBUTING.md. -->

# Motivation

Fail early by pre-validating OpenID credential issuers used in attribute
sharing scopes.

# Changes

* Adds validation function for OpenID credential issuer identifiers
requiring HTTPS, prohibiting query/fragment parameters, and enforcing a
maximum length of 1024 characters

# Tests

* Updates all test cases to use valid HTTPS URLs for issuer identifiers
* Adds extensive test coverage for validation edge cases including IPv6
addresses, length limits, and invalid formats

Author: aterga

src/frontend/src/lib/icons/john-dao_logo.webp

@@ -324,18 +324,6 @@
     "oneLiner": "Your AI-powered companion for simplifying and streamlining the Motoko coding experience.",
     "logo": "motokopilot_logo.png"
   },
-  {
-    "name": "NOBLEBLOCKS",
-    "website": "https://www.nobleblocks.com",
-    "logo": "nobleblocks_logo.webp",
-    "oneLiner": "A Community-Driven DeSci Project for Scientific Publishing"
-  },
-  {
-    "name": "John Dao",
-    "website": "https://johndao.gg",
-    "logo": "john-dao_logo.webp",
-    "oneLiner": "A Twitter/X account controlled by a DAO on the Internet Computer"
-  },
   {
     "name": "aVa",
     "website": "https://ksayv-myaaa-aaaan-qedxq-cai.icp0.io",

src/frontend/src/lib/icons/nobleblocks_logo.webp

@@ -1,8 +1,8 @@
 use crate::{
-    openid::{OpenIdCredential, OpenIdCredentialKey, OPENID_SESSION_DURATION_NS},
+    openid::{OpenIdCredential, OpenIdCredentialKey},
     state,
     storage::{account::Account, anchor::Anchor},
-    update_root_hash,
+    update_root_hash, MINUTE_NS,
 };
 use ic_canister_sig_creation::signature_map::{CanisterSigInputs, SignatureMap};
 use ic_representation_independent_hash::{representation_independent_hash, Value};
@@ -15,8 +15,12 @@ use internet_identity_interface::internet_identity::types::{
 };
 use std::collections::{BTreeMap, BTreeSet};
 
+/// Domain separator for attribute certification signatures. Clients need this to verify signatures.
 const ATTRIBUTES_CERTIFICATION_DOMAIN: &[u8] = b"ii-request-attribute";
-const ATTRIBUTES_CERTIFICATION_SESSION_DURATION_NS: u64 = OPENID_SESSION_DURATION_NS;
+
+/// Duration for which attribute certifications are valid. Does not strictly need to be the same
+/// as `OPENID_SESSION_DURATION_NS`, but for simplicity we keep them aligned for now.
+const ATTRIBUTES_CERTIFICATION_SESSION_DURATION_NS: u64 = 30 * MINUTE_NS;
 
 fn expiration_timestamp_ns(issued_at_timestamp_ns: Timestamp) -> Timestamp {
     issued_at_timestamp_ns.saturating_add(ATTRIBUTES_CERTIFICATION_SESSION_DURATION_NS)
@@ -84,7 +88,7 @@ impl Anchor {
     /// Processes `requested_attributes` for all attribute scopes, prepares signatures for
     /// the (attribute_key, attribute_value) pairs that can be fulfilled for this (anchor, account).
     ///
-    /// Returns the list of attribute keys certified with expiry `now_timestamp_ns + OPENID_SESSION_DURATION_NS`.
+    /// Returns the list of attribute keys certified with expiry `now_timestamp_ns + ATTRIBUTES_CERTIFICATION_SESSION_DURATION_NS`.
     pub fn prepare_attributes(
         &self,
         requested_attributes: BTreeMap<Option<AttributeScope>, BTreeSet<AttributeName>>,
@@ -133,6 +137,12 @@ impl Anchor {
                     issuer: openid_credential.iss.clone(),
                 });
                 // E.g., {`email`, `name`}
+                //
+                // Why we do not include `sub` / `aud` into the keys of this map:
+                // --------------------------------------------------------------
+                // Currently, an anchor can only have a single iss linked once. The storage layer
+                // allows for duplicate iss, but the implementation has been restricted to enforce
+                // the one-to-one relationship.
                 let attribute_names = requested_attributes.remove(&scope)?;
 
                 let mut attribute_keys: BTreeMap<AttributeName, AttributeKey> = attribute_names
@@ -188,7 +198,8 @@ impl OpenIdCredential {
         attributes: &Vec<Attribute>,
         now_timestamp_ns: Timestamp,
     ) {
-        let expiration_timestamp_ns = now_timestamp_ns.saturating_add(OPENID_SESSION_DURATION_NS);
+        let expiration_timestamp_ns =
+            now_timestamp_ns.saturating_add(ATTRIBUTES_CERTIFICATION_SESSION_DURATION_NS);
 
         let seed = account.calculate_seed();
 

src/frontend/src/lib/legacy/flows/dappsExplorer/dapps.json

@@ -1308,7 +1308,8 @@ mod attribute_sharing {
     }
 }
 
-/// API for the attribute sharing mvp
+/// Legacy API for the original attribute sharing MVP (VC-based).
+/// The current attribute sharing protocol endpoints live in `mod attribute_sharing`.
 mod attribute_sharing_old_vc {
     use super::*;
 

src/internet_identity/src/attributes.rs

@@ -1,4 +1,4 @@
-//! Tests related to prepare_delegation, get_delegation and get_principal II canister calls.
+//! Tests related to prepare_attributes and get_attributes II canister calls.
 
 use canister_tests::api::internet_identity as api;
 use canister_tests::framework::*;