ISO: Include challenge in device signature and verify it

a-sit-plus · Aug 2, 2023 · 9c98def · 9c98def
1 parent c1a1ab8
commit 9c98def
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/HolderAgent.kt b/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/HolderAgent.kt
@@ -185,7 +185,7 @@ class HolderAgent(
             val deviceSignature = coseService.createSignedCose(
                 protectedHeader = CoseHeader(algorithm = CoseAlgorithm.ES256),
                 unprotectedHeader = null,
-                payload = null, //TODO challenge
+                payload = challenge.encodeToByteArray(),
                 addKeyId = false
             ).getOrNull() ?: return null
                 .also { Napier.w("Could not create DeviceAuth for presentation") }

diff --git a/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/Validator.kt b/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/Validator.kt
@@ -222,6 +222,14 @@ class Validator(
                 .also { Napier.w("DeviceSignature not verified") }
         }
 
+        val deviceSignaturePayload = deviceSignature.payload
+            ?: return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeBase16())
+                .also { Napier.w("DeviceSignature does not contain challenge") }
+        if (!deviceSignaturePayload.contentEquals(challenge.encodeToByteArray())) {
+            return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeBase16())
+                .also { Napier.w("DeviceSignature does not contain correct challenge") }
+        }
+
         val issuerSignedItems = issuerSigned.namespaces?.get(NAMESPACE_MDL)
             ?: return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeBase16())
                 .also { Napier.w("No issuer signed items in ${issuerSigned.namespaces}") }