Merge remote-tracking branch 'origin/main'

Author: waltkb

waltid-applications/waltid-web-wallet/apps/waltid-dev-wallet/src/pages/login.vue

@@ -431,11 +431,12 @@ const MMSDK = new MetaMaskSDK({
   injectProvider: true
 });
 
-await MMSDK.connect();
-const ethereum = MMSDK.getProvider();
+
 
 
 async function openWeb3() {
+  await MMSDK.connect();
+  const ethereum = MMSDK.getProvider();
     const response = await fetch("/wallet-api/auth/account/web3/nonce", { method: "GET" });
     const challenge = await response.text();
     console.log("====Frontend DEBUG LOGS====");

waltid-libraries/protocols/waltid-openid4vc/src/commonMain/kotlin/id/walt/oid4vc/interfaces/ISessionCache.kt

@@ -8,9 +8,13 @@ interface ISessionCache<T> {
 
     /**
      * Puts the specified [session] with the specified [id] in the session cache.
+     * @param id The ID to store the session under
+     * @param session The session to store
+     * @param ttl Optional custom time-to-live duration for this session.
+     *            If null, the default expiration is used.
      * @return the previous value associated with the [id], or `null` if the key was not present in the cache.
      */
-    fun putSession(id: String, session: T)
+    fun putSession(id: String, session: T, ttl: kotlin.time.Duration? = null)
 
     fun getSessionByAuthServerState(authServerState: String): T?
     /**

waltid-libraries/protocols/waltid-openid4vc/src/commonMain/kotlin/id/walt/oid4vc/providers/OpenIDCredentialVerifier.kt

@@ -46,7 +46,8 @@ abstract class OpenIDCredentialVerifier(val config: CredentialVerifierConfig) :
         clientIdScheme: ClientIdScheme = config.defaultClientIdScheme,
         openId4VPProfile: OpenId4VPProfile = OpenId4VPProfile.DEFAULT,
         walletInitiatedAuthState: String? = null,
-        trustedRootCAs: List<String>? = null
+        trustedRootCAs: List<String>? = null,
+        sessionTtl: Duration? = null // Custom TTL duration for the session
     ): PresentationSession {
         val session = PresentationSession(
             id = sessionId ?: ShortIdUtils.randomSessionId(),
@@ -58,7 +59,7 @@ abstract class OpenIDCredentialVerifier(val config: CredentialVerifierConfig) :
             openId4VPProfile = openId4VPProfile,
             trustedRootCAs = trustedRootCAs
         ).also {
-            putSession(it.id, it)
+            putSession(it.id, it, sessionTtl ?: expiresIn)
         }
         val presentationDefinitionUri = when(openId4VPProfile) {
             OpenId4VPProfile.ISO_18013_7_MDOC, OpenId4VPProfile.HAIP -> null
@@ -108,18 +109,28 @@ abstract class OpenIDCredentialVerifier(val config: CredentialVerifierConfig) :
             nonce = Uuid.random().toString()
         )
         return session.copy(authorizationRequest = authReq).also {
-            putSession(session.id, it)
+            putSession(session.id, it, sessionTtl ?: expiresIn)
         }
     }
 
     open fun verify(tokenResponse: TokenResponse, session: PresentationSession): PresentationSession {
         // https://json-schema.org/specification
         // https://github.com/OptimumCode/json-schema-validator
+        // Calculate the remaining time to live based on the session's expiration timestamp
+        val remainingTtl = session.expirationTimestamp?.let {
+            val now = Clock.System.now()
+            if (it > now) {
+                it - now  // Calculate duration between now and expiration
+            } else {
+                null  // Already expired
+            }
+        }
+        
         return session.copy(
             tokenResponse = tokenResponse,
             verificationResult = doVerify(tokenResponse, session)
         ).also {
-            putSession(it.id, it)
+            putSession(it.id, it, remainingTtl)
         }
     }
 

waltid-libraries/protocols/waltid-openid4vc/src/jvmTest/kotlin/id/walt/oid4vc/EBSITestWallet.kt

@@ -42,6 +42,7 @@ import io.ktor.serialization.kotlinx.json.*
 import kotlinx.coroutines.runBlocking
 import kotlinx.datetime.Instant
 import kotlinx.serialization.json.*
+import kotlin.time.Duration
 import kotlin.uuid.ExperimentalUuidApi
 import kotlin.uuid.Uuid
 
@@ -225,7 +226,7 @@ class EBSITestWallet(
         )
     }
 
-    override fun putSession(id: String, session: SIOPSession) {
+    override fun putSession(id: String, session: SIOPSession, ttl: Duration?) {
         sessionCache[id] = session
     }
 

waltid-libraries/protocols/waltid-openid4vc/src/jvmTest/kotlin/id/walt/oid4vc/TestCredentialWallet.kt

@@ -52,6 +52,7 @@ import io.ktor.util.*
 import kotlinx.coroutines.runBlocking
 import kotlinx.datetime.Instant
 import kotlinx.serialization.json.*
+import kotlin.time.Duration
 
 const val WALLET_PORT = 8001
 const val WALLET_BASE_URL = "http://localhost:${WALLET_PORT}"
@@ -241,7 +242,7 @@ class TestCredentialWallet(
         TODO("Not yet implemented")
     }
 
-    override fun putSession(id: String, session: SIOPSession) {
+    override fun putSession(id: String, session: SIOPSession, ttl: Duration?) {
         sessionCache[id] = session
     }
 

waltid-libraries/protocols/waltid-openid4vc/src/jvmTest/kotlin/id/walt/oid4vc/VPTestVerifier.kt

@@ -22,6 +22,7 @@ import kotlinx.coroutines.runBlocking
 import kotlinx.serialization.json.Json
 import kotlinx.serialization.json.jsonObject
 import kotlinx.serialization.json.jsonPrimitive
+import kotlin.time.Duration
 
 const val VP_VERIFIER_PORT = 8002
 const val VP_VERIFIER_BASE_URL = "http://localhost:$VP_VERIFIER_PORT"
@@ -34,7 +35,7 @@ class VPTestVerifier : OpenIDCredentialVerifier(
     private val presentationDefinitionCache = mutableMapOf<String, PresentationDefinition>()
     override fun getSession(id: String): PresentationSession? = sessionCache[id]
 
-    override fun putSession(id: String, session: PresentationSession) {
+    override fun putSession(id: String, session: PresentationSession, ttl: Duration?) {
         sessionCache[id] = session
     }
 

waltid-libraries/waltid-core-wallet/src/jvmMain/java/id/walt/wallet/core/service/oidc4vc/TestCredentialWallet.kt

@@ -383,7 +383,7 @@ class TestCredentialWallet(
         TODO("Not yet implemented")
     }
 
-    override fun putSession(id: String, session: VPresentationSession) {
+    override fun putSession(id: String, session: VPresentationSession, ttl: Duration?) {
         sessionCache[id] = session
     }
 

waltid-services/waltid-e2e-tests/config/credential-issuer-metadata.conf

@@ -36,6 +36,13 @@ supportedCredentialTypes = {
         doctype = "org.iso.18013.5.1.mDL"
     }
 
+    "org.iso.18013.5.1.mDL-JWT-Proof" = {
+        format = mso_mdoc
+        cryptographic_binding_methods_supported = ["cose_key"]
+        credential_signing_alg_values_supported = ["ES256"]
+        doctype = "org.iso.18013.5.1.mDL"
+    }
+
     "urn:eu.europa.ec.eudi:pid:1" = {
         format = "vc+sd-jwt"
         cryptographic_binding_methods_supported = ["jwk"]

waltid-services/waltid-e2e-tests/src/test/kotlin/LspPotentialWallet.kt

@@ -53,9 +53,9 @@ class LspPotentialWallet(val client: HttpClient, val walletId: String) {
         }
     }
 
-    suspend fun testMDocIssuance() = test("test mdoc issuance") {
+    suspend fun testMDocIssuance(issuanceRequestData: String, useForPresentation: Boolean) = test("test mdoc issuance") {
         // === get credential offer from test issuer API ===
-        val issuanceReq = Json.decodeFromString<IssuanceRequest>(IssuanceExamples.mDLCredentialIssuanceData).copy(
+        val issuanceReq = Json.decodeFromString<IssuanceRequest>(issuanceRequestData).copy(
             authenticationMethod = AuthenticationMethod.PRE_AUTHORIZED
         )
         val offerResp = client.post("/openid4vc/mdoc/issue") {
@@ -77,7 +77,7 @@ class LspPotentialWallet(val client: HttpClient, val walletId: String) {
         }.expectSuccess().body<CredentialOffer.Draft13>()
 
         assertEquals(1, resolvedOffer.credentialConfigurationIds.size)
-        assertEquals("org.iso.18013.5.1.mDL", resolvedOffer.credentialConfigurationIds.first())
+        assertEquals(issuanceReq.credentialConfigurationId, resolvedOffer.credentialConfigurationIds.first())
 
         // === resolve issuer metadata ===
         val issuerMetadata =
@@ -100,7 +100,8 @@ class LspPotentialWallet(val client: HttpClient, val walletId: String) {
         val fetchedCredential = client.get("/wallet-api/wallet/$walletId/credentials/${issuedCred.id}")
             .expectSuccess().body<WalletCredential>()
         assertEquals(issuedCred.format, fetchedCredential.format)
-        runBlocking { issuedMdocId = fetchedCredential.id }
+        if(useForPresentation)
+            runBlocking { issuedMdocId = fetchedCredential.id }
     }
 
     suspend fun testMdocPresentation() = test("test mdoc presentation") {

waltid-services/waltid-e2e-tests/src/test/kotlin/WaltidServicesE2ETests.kt

@@ -9,6 +9,7 @@ import id.walt.commons.web.plugins.httpJson
 import id.walt.credentials.schemes.JwsSignatureScheme
 import id.walt.crypto.keys.KeyGenerationRequest
 import id.walt.crypto.keys.KeyType
+import id.walt.issuer.issuance.IssuanceExamples
 import id.walt.issuer.issuance.IssuanceRequest
 import id.walt.issuer.issuerModule
 import id.walt.issuer.lspPotential.lspPotentialIssuanceTestApi
@@ -323,7 +324,8 @@ class WaltidServicesE2ETests {
         lspPotentialVerification.testPotentialInteropTrack3()
         lspPotentialVerification.testPotentialInteropTrack4()
         val lspPotentialWallet = setupTestWallet()
-        lspPotentialWallet.testMDocIssuance()
+        lspPotentialWallet.testMDocIssuance(IssuanceExamples.mDLCredentialIssuanceData, true)
+        lspPotentialWallet.testMDocIssuance(IssuanceExamples.mDLCredentialIssuanceDataJwtProof, false)
         lspPotentialWallet.testMdocPresentation()
         lspPotentialWallet.testSDJwtVCIssuance()
         lspPotentialWallet.testSDJwtPresentation(OpenId4VPProfile.HAIP)

waltid-services/waltid-issuer-api/src/main/kotlin/id/walt/issuer/issuance/CIProvider.kt

@@ -5,6 +5,7 @@ package id.walt.issuer.issuance
 import org.cose.java.AlgorithmID
 import org.cose.java.OneKey
 import cbor.Cbor
+import com.nimbusds.jose.jwk.ECKey
 import com.nimbusds.jose.jwk.JWK
 import com.nimbusds.jose.util.X509CertUtils
 import id.walt.commons.config.ConfigManager
@@ -153,9 +154,9 @@ open class CIProvider(
     }
 
 
-    fun putSession(id: String, session: IssuanceSession) {
+    fun putSession(id: String, session: IssuanceSession, ttl: Duration? = null) {
         log.debug { "SETTING CI AUTH SESSION: $id = $session" }
-        authSessions[id] = session
+        authSessions.set(id, session, ttl)
     }
 
     fun removeSession(id: String) {
@@ -266,18 +267,36 @@ open class CIProvider(
         }))
     }
 
+    private suspend fun extractHolderKey(proof: ProofOfPossession): COSECryptoProviderKeyInfo? {
+        when(proof.proofType) {
+            ProofType.cwt -> {
+                return proof.cwt?.base64UrlDecode()?.let {
+                    COSESign1Utils.extractHolderKey(Cbor.decodeFromByteArray<COSESign1>(it))
+                }
+            }
+            else -> {
+                return proof.jwt?.let { JwtUtils.parseJWTHeader(it) }?.get(JWTClaims.Header.jwk)?.jsonObject?.let {
+                    JWKKey.importJWK(it.toString()).getOrNull()?.let { key ->
+                        COSECryptoProviderKeyInfo(
+                            key.getKeyId(),
+                            AlgorithmID.ECDSA_256,
+                            ECKey.parse(key.exportJWK()).toECPublicKey(),
+                            null
+                        )
+                    }
+                }
+            }
+        }
+    }
+
     @OptIn(ExperimentalSerializationApi::class)
     private suspend fun doGenerateMDoc(
         credentialRequest: CredentialRequest,
         issuanceSession: IssuanceSession
     ): CredentialResult {
-        val coseSign1 = Cbor.decodeFromByteArray<COSESign1>(
-            credentialRequest.proof?.cwt?.base64UrlDecode() ?: throw CredentialError(
-                credentialRequest,
-                CredentialErrorCode.invalid_or_missing_proof, message = "No CWT proof found on credential request"
-            )
-        )
-        val holderKey = COSESign1Utils.extractHolderKey(coseSign1)
+        val proof = credentialRequest.proof ?: throw CredentialError(credentialRequest, CredentialErrorCode.invalid_or_missing_proof, message = "No proof found on credential request")
+        val holderKey = extractHolderKey(proof) ?: throw CredentialError(credentialRequest, CredentialErrorCode.invalid_or_missing_proof, message = "No holder key could be extracted from proof")
+
         val nonce = OpenID4VCI.getNonceFromProof(credentialRequest.proof!!) ?: throw CredentialError(
             credentialRequest,
             CredentialErrorCode.invalid_or_missing_proof,
@@ -425,10 +444,20 @@ open class CIProvider(
     }
 
     private fun generateProofOfPossessionNonceFor(session: IssuanceSession): IssuanceSession {
+        // Calculate remaining TTL based on session expiration
+        val remainingTtl = session.expirationTimestamp?.let {
+            val now = Clock.System.now()
+            if (it > now) {
+                it - now  // Calculate duration between now and expiration
+            } else {
+                null  // Already expired
+            }
+        }
+        
         return session.copy(
             cNonce = randomUUID()
         ).also {
-            putSession(it.id, it)
+            putSession(it.id, it, remainingTtl)
         }
     }
 
@@ -477,7 +506,7 @@ open class CIProvider(
             val updatedSession = IssuanceSession(
                 id = it.id,
                 authorizationRequest = authorizationRequest,
-                expirationTimestamp = Clock.System.now().plus(5.minutes),
+                expirationTimestamp = Clock.System.now().plus(expiresIn),
                 issuanceRequests = it.issuanceRequests,
                 authServerState = authServerState,
                 txCode = it.txCode,
@@ -487,7 +516,7 @@ open class CIProvider(
                 callbackUrl = it.callbackUrl,
                 customParameters = it.customParameters
             )
-            putSession(it.id, updatedSession)
+            putSession(it.id, updatedSession, expiresIn)
         }
     }
 
@@ -525,7 +554,7 @@ open class CIProvider(
             credentialOffer = credentialOfferBuilder.build(),
             callbackUrl = callbackUrl
         ).also {
-            putSession(it.id, it)
+            putSession(it.id, it, expiresIn)
         }
     }
 

waltid-services/waltid-issuer-api/src/main/kotlin/id/walt/issuer/issuance/IssuanceExamples.kt

@@ -458,6 +458,29 @@ object IssuanceExamples {
 
     val mDLCredentialIssuanceExample = typedValueExampleDescriptorDsl<IssuanceRequest>(mDLCredentialIssuanceData)
 
+    val mDLCredentialIssuanceDataJwtProof = """
+        {
+          "issuerKey": { 
+            "type": "jwk",
+            "jwk": ${Json.parseToJsonElement(LspPotentialIssuanceInterop.POTENTIAL_ISSUER_JWK_KEY.jwk!!)}
+          },
+          "issuerDid":"",
+          "credentialConfigurationId":"org.iso.18013.5.1.mDL-JWT-Proof",
+          "credentialData":null,
+          "mdocData": { 
+              "org.iso.18013.5.1": {
+                  "family_name": "Doe",
+                  "given_name": "John",
+                  "birth_date": "1980-01-02"
+              }
+          },
+          "x5Chain": ${buildJsonArray { add(LspPotentialInterop.POTENTIAL_ISSUER_CERT) }},
+          "trustedRootCAs": ${buildJsonArray { add(LspPotentialInterop.POTENTIAL_ROOT_CA_CERT) }}
+       }
+    """.trimIndent()
+
+    val mDLCredentialIssuanceJwtProofExample = typedValueExampleDescriptorDsl<IssuanceRequest>(mDLCredentialIssuanceDataJwtProof)
+
     // language=JSON
     val batchExampleJwt = typedValueExampleDescriptorDsl<List<IssuanceRequest>>(
         """