OID4VP: Fix ISO mDoc presentation containing more than one document

Author: nodh

CHANGELOG.md

@@ -4,6 +4,7 @@ Release 5.5.2:
  - OpenID for Verifiable Presentations:
    - Fix parsing `group` in presentation exchange input descriptors
    - Set content type for authentication responses to `application/x-www-form-urlencoded`, without the charset appended
+   - Fix ISO mDoc presentations containing multiple documents in one device response
  - When creating JWS, and `x5c` header is set, do not set `jwk` and `kid`
  - When creating JWS, and `jwk` header is set, do not set `kid`
 

vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/openid/AuthenticationResponseFactory.kt

@@ -15,6 +15,7 @@ import at.asitplus.wallet.lib.oidvci.formUrlEncode
 import io.github.aakira.napier.Napier
 import io.ktor.http.*
 import io.matthewnelson.encoding.core.Decoder.Companion.decodeToByteArray
+import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
 import kotlinx.serialization.builtins.serializer
 import kotlinx.serialization.encodeToString
 import kotlin.coroutines.cancellation.CancellationException

vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/openid/PresentationFactory.kt

@@ -12,6 +12,7 @@ import at.asitplus.signum.indispensable.CryptoPublicKey
 import at.asitplus.signum.indispensable.cosef.CoseSigned
 import at.asitplus.signum.indispensable.cosef.io.ByteStringWrapper
 import at.asitplus.signum.indispensable.cosef.io.coseCompliantSerializer
+import at.asitplus.signum.indispensable.io.Base64Strict
 import at.asitplus.signum.indispensable.io.Base64UrlStrict
 import at.asitplus.signum.indispensable.josef.JsonWebKey
 import at.asitplus.signum.indispensable.josef.JwsSigned
@@ -62,8 +63,8 @@ internal class PresentationFactory(
             nonce = nonce,
             audience = audience,
             transactionData = transactionData,
-            calcIsoDeviceSignature = { docType ->
-                calcDeviceSignature(responseWillBeEncrypted, clientId, responseUrl, nonce, docType)
+            calcIsoDeviceSignature = { docType, mdocGenNonce ->
+                reuseMdocGeneratedNonce(mdocGenNonce, clientId, responseUrl, nonce, docType, responseWillBeEncrypted)
             }
         )
 
@@ -86,6 +87,17 @@ internal class PresentationFactory(
         }
     }
 
+    private suspend fun PresentationFactory.reuseMdocGeneratedNonce(
+        mdocGeneratedNonce: String?,
+        clientId: String?,
+        responseUrl: String?,
+        nonce: String,
+        docType: String,
+        responseWillBeEncrypted: Boolean
+    ) = mdocGeneratedNonce?.let {
+        calcDeviceSignatureWithNonce(mdocGeneratedNonce, clientId!!, responseUrl!!, nonce, docType)
+    } ?: calcDeviceSignature(responseWillBeEncrypted, clientId, responseUrl, nonce, docType)
+
     /**
      * Parses all `transaction_data` fields from the request, with a JsonPath, because
      * ... for OpenID4VP Draft 23, that's encoded in the AuthnRequest
@@ -118,10 +130,35 @@ internal class PresentationFactory(
         nonce: String,
         docType: String,
     ): Pair<CoseSigned<ByteArray>, String?> = if (clientId != null && responseUrl != null) {
-        val deviceNameSpaceBytes = ByteStringWrapper(DeviceNameSpaces(mapOf()))
         // if it's not encrypted, we have no way of transporting the mdocGeneratedNonce, so we'll use the empty string
         val mdocGeneratedNonce = if (responseWillBeEncrypted)
             Random.Default.nextBytes(16).encodeToString(Base64UrlStrict) else ""
+        calcDeviceSignatureWithNonce(mdocGeneratedNonce, clientId, responseUrl, nonce, docType)
+    } else {
+        coseService.createSignedCose(
+            payload = nonce.encodeToByteArray(),
+            serializer = ByteArraySerializer(),
+            addKeyId = false
+        ).getOrElse {
+            Napier.w("Could not create DeviceAuth for presentation", it)
+            throw PresentationException(it)
+        } to null
+    }
+
+
+    /**
+     * Performs calculation of the [at.asitplus.wallet.lib.iso.SessionTranscript] and [at.asitplus.wallet.lib.iso.DeviceAuthentication],
+     * acc. to ISO/IEC 18013-5:2021 and ISO/IEC 18013-7:2024, with the [mdocGeneratedNonce] provided.
+     */
+    @Throws(PresentationException::class, CancellationException::class)
+    private suspend fun calcDeviceSignatureWithNonce(
+        mdocGeneratedNonce: String,
+        clientId: String,
+        responseUrl: String,
+        nonce: String,
+        docType: String,
+    ): Pair<CoseSigned<ByteArray>, String?> = run {
+        val deviceNameSpaceBytes = ByteStringWrapper(DeviceNameSpaces(mapOf()))
         val clientIdToHash = ClientIdToHash(
             clientId = clientId,
             mdocGeneratedNonce = mdocGeneratedNonce
@@ -158,15 +195,6 @@ internal class PresentationFactory(
             Napier.w("Could not create DeviceAuth for presentation", it)
             throw PresentationException(it)
         } to mdocGeneratedNonce
-    } else {
-        coseService.createSignedCose(
-            payload = nonce.encodeToByteArray(),
-            serializer = ByteArraySerializer(),
-            addKeyId = false
-        ).getOrElse {
-            Napier.w("Could not create DeviceAuth for presentation", it)
-            throw PresentationException(it)
-        } to null
     }
 
     suspend fun <T : RequestParameters> createSignedIdToken(

vck-openid/src/commonTest/kotlin/at/asitplus/wallet/lib/openid/OpenId4VpIsoProtocolTest.kt

@@ -3,6 +3,7 @@ package at.asitplus.wallet.lib.openid
 import at.asitplus.openid.OpenIdConstants
 import at.asitplus.wallet.lib.agent.*
 import at.asitplus.wallet.lib.data.ConstantIndex
+import at.asitplus.wallet.lib.data.ConstantIndex.AtomicAttribute2023
 import at.asitplus.wallet.lib.data.ConstantIndex.AtomicAttribute2023.CLAIM_GIVEN_NAME
 import at.asitplus.wallet.lib.data.ConstantIndex.CredentialRepresentation.ISO_MDOC
 import at.asitplus.wallet.lib.data.IsoDocumentParsed
@@ -49,7 +50,7 @@ class OpenId4VpIsoProtocolTest : FreeSpec({
             issuerAgent.issueCredential(
                 DummyCredentialDataProvider.getCredential(
                     holderKeyMaterial.publicKey,
-                    ConstantIndex.AtomicAttribute2023,
+                    AtomicAttribute2023,
                     ISO_MDOC,
                 ).getOrThrow()
             ).getOrThrow().toStoreCredentialInput()
@@ -94,7 +95,7 @@ class OpenId4VpIsoProtocolTest : FreeSpec({
             walletUrl,
             OpenIdRequestOptions(
                 credentials = setOf(
-                    RequestOptionsCredential(ConstantIndex.AtomicAttribute2023, ISO_MDOC, setOf(CLAIM_GIVEN_NAME))
+                    RequestOptionsCredential(AtomicAttribute2023, ISO_MDOC, setOf(CLAIM_GIVEN_NAME))
                 )
             ),
             holderOid4vp
@@ -185,6 +186,38 @@ class OpenId4VpIsoProtocolTest : FreeSpec({
         document.invalidItems.shouldBeEmpty()
     }
 
+    "Selective Disclosure with two documents and encryption (ISO/IEC 18013-7:2024 Annex B)" {
+        val mdlFamilyName = MobileDrivingLicenceDataElements.FAMILY_NAME
+        val atomicGivenName = CLAIM_GIVEN_NAME
+        verifierOid4vp = OpenId4VpVerifier(
+            keyMaterial = verifierKeyMaterial,
+            clientIdScheme = ClientIdScheme.RedirectUri(clientId),
+        )
+        val requestOptions = OpenIdRequestOptions(
+            credentials = setOf(
+                RequestOptionsCredential(MobileDrivingLicenceScheme, ISO_MDOC, setOf(mdlFamilyName)),
+                RequestOptionsCredential(AtomicAttribute2023, ISO_MDOC, setOf(atomicGivenName))
+            ),
+            responseMode = OpenIdConstants.ResponseMode.DirectPostJwt,
+            responseUrl = "https://example.com/response",
+            encryption = true
+        )
+        val authnRequest = verifierOid4vp.createAuthnRequest(
+            requestOptions, OpenId4VpVerifier.CreationOptions.Query(walletUrl)
+        ).getOrThrow().url
+
+        val authnResponse = holderOid4vp.createAuthnResponse(authnRequest).getOrThrow()
+            .shouldBeInstanceOf<AuthenticationResponseResult.Post>()
+
+        val documents = verifierOid4vp.validateAuthnResponse(authnResponse.params.formUrlEncode())
+            .shouldBeInstanceOf<AuthnResponseResult.VerifiablePresentationValidationResults>()
+            .validationResults.flatMap { it.shouldBeInstanceOf<AuthnResponseResult.SuccessIso>().documents }
+        documents.first { it.mso.docType == AtomicAttribute2023.isoDocType }
+            .validItems.shouldHaveSingleElement { it.elementIdentifier == atomicGivenName }
+        documents.first { it.mso.docType == MobileDrivingLicenceScheme.isoDocType }
+            .validItems.shouldHaveSingleElement { it.elementIdentifier == mdlFamilyName }
+    }
+
     "Selective Disclosure with mDL JSON Path syntax" {
         verifierOid4vp = OpenId4VpVerifier(
             keyMaterial = verifierKeyMaterial,

vck/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/HolderAgent.kt

@@ -214,19 +214,30 @@ class HolderAgent(
             )
         }.toList()
 
+        // Presentation will be one single ISO mDoc DeviceResponse, containing multiple documents
+        val isSingleIsoMdocPresentation = submissionList.all { it.second.credential is StoreEntry.Iso }
         val presentationSubmission = PresentationSubmission.fromMatches(
             presentationId = presentationDefinition.id,
             matches = submissionList,
+            isSingleIsoMdocPresentation = isSingleIsoMdocPresentation
         )
 
-        val verifiablePresentations = submissionList.map { match ->
-            val credential = match.second.credential
-            val disclosedAttributes = match.second.disclosedAttributes
-            verifiablePresentationFactory.createVerifiablePresentation(
-                request = request,
-                credential = credential,
-                disclosedAttributes = disclosedAttributes,
-            ).getOrThrow()
+        val verifiablePresentations = if (isSingleIsoMdocPresentation) {
+            listOf(
+                verifiablePresentationFactory.createVerifiablePresentationForIsoCredentials(
+                    request = request,
+                    credentialAndDisclosedAttributes = submissionList
+                        .associate { it.second.credential as StoreEntry.Iso to it.second.disclosedAttributes },
+                ).getOrThrow()
+            )
+        } else {
+            submissionList.map { match ->
+                verifiablePresentationFactory.createVerifiablePresentation(
+                    request = request,
+                    credential = match.second.credential,
+                    disclosedAttributes = match.second.disclosedAttributes,
+                ).getOrThrow()
+            }
         }
 
         PresentationResponseParameters.PresentationExchangeParameters(
@@ -362,14 +373,15 @@ class HolderAgent(
     private fun PresentationSubmission.Companion.fromMatches(
         presentationId: String?,
         matches: List<Pair<String, PresentationExchangeCredentialDisclosure>>,
+        isSingleIsoMdocPresentation: Boolean,
     ) = PresentationSubmission(
         id = uuid4().toString(),
         definitionId = presentationId,
         descriptorMap = matches.mapIndexed { index, match ->
             PresentationSubmissionDescriptor.fromMatch(
                 inputDescriptorId = match.first,
                 credential = match.second.credential,
-                index = if (matches.size == 1) null else index,
+                index = if (matches.size == 1 || isSingleIsoMdocPresentation) null else index,
             )
         },
     )

vck/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/PresentationDataClasses.kt

@@ -39,7 +39,7 @@ data class PresentationRequestParameters(
      * Handle calculating device signature for ISO mDocs, as this depends on the transport protocol
      * (OpenId4VP with ISO/IEC 18013-7)
      */
-    val calcIsoDeviceSignature: (suspend (docType: String) -> Pair<CoseSigned<ByteArray>, String?>?) = { null },
+    val calcIsoDeviceSignature: (suspend (docType: String, existingMdocGeneratedNonce: String?) -> Pair<CoseSigned<ByteArray>, String?>?) = { _, _ -> null },
 ) {
     internal fun getTransactionDataHashes(): Set<ByteArray>? = transactionData?.map {
         (vckJsonSerializer.encodeToJsonElement(