Verify JWS validation with out-of-band keys

a-sit-plus · Oct 29, 2024 · f56c54c · f56c54c
1 parent 1cd3353
commit f56c54c
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ Release 5.1.0:
  - Replace `relyingPartyUrl` with `clientIdScheme` on `OidcSiopVerifier`s constructor, to clarify use of `client_id` in requests
  - Rename objects in `OpenIdConstants.ProofType`, `OpenIdConstants.CliendIdScheme` and `OpenIdConstants.ResponseMode`
  - In all OpenID data classes, serialize strings only, and parse them to crypto data classes (from signum) in a separate property (this increases interop, as we can deserialize unsupported algorithms too)
+ - Add `publicKeyLookup` function to `DefaultVerifierJwsService` to provide valid keys for JWS objects out-of-band (e.g. when they're not included in the header of the JWS)
  - OID4VCI:
    - `WalletService` supports building multiple authorization details to request a token for more than one credential
    - Remove `buildAuthorizationDetails(RequestOptions)` for `WalletService`, please migrate to `buildScope(RequestOptions)`

diff --git a/vck/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/IssuerAgent.kt b/vck/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/IssuerAgent.kt
@@ -52,6 +52,7 @@ class IssuerAgent(
     constructor(
         keyMaterial: KeyMaterial = EphemeralKeyWithoutCert(),
         issuerCredentialStore: IssuerCredentialStore = InMemoryIssuerCredentialStore(),
+        validator: Validator = Validator(),
     ) : this(
         validator = Validator(),
         issuerCredentialStore = issuerCredentialStore,

diff --git a/vck/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/VerifierAgent.kt b/vck/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/VerifierAgent.kt
@@ -20,12 +20,15 @@ class VerifierAgent private constructor(
     override val keyMaterial: KeyMaterial,
 ) : Verifier {
 
-    constructor(keyPairAdapter: KeyMaterial) : this(
-        validator = Validator(),
+    constructor(
+        keyPairAdapter: KeyMaterial,
+        validator: Validator = Validator()
+    ) : this(
+        validator = validator,
         keyMaterial = keyPairAdapter,
     )
 
-    constructor(): this(
+    constructor() : this(
         validator = Validator(),
         keyMaterial = EphemeralKeyWithoutCert(),
     )

diff --git a/vck/src/commonTest/kotlin/at/asitplus/wallet/lib/jws/JwsServiceTest.kt b/vck/src/commonTest/kotlin/at/asitplus/wallet/lib/jws/JwsServiceTest.kt
@@ -101,6 +101,26 @@ class JwsServiceTest : FreeSpec({
         verifierJwsService.verifyJwsObject(signed) shouldBe false
     }
 
+    "signed object without public key in header can not be verified" {
+        val payload = randomPayload.encodeToByteArray()
+        val header = JwsHeader(algorithm = JwsAlgorithm.ES256)
+        val signed = jwsService.createSignedJws(header, payload).getOrThrow()
+
+        verifierJwsService = DefaultVerifierJwsService()
+        verifierJwsService.verifyJwsObject(signed) shouldBe false
+    }
+
+    "signed object without public key in header, but retrieved out-of-band can be verified" {
+        val payload = randomPayload.encodeToByteArray()
+        val header = JwsHeader(algorithm = JwsAlgorithm.ES256)
+        val signed = jwsService.createSignedJws(header, payload).getOrThrow()
+        val validKey = cryptoService.keyMaterial.jsonWebKey
+
+        val publicKeyLookup: PublicKeyLookup = { setOf(validKey) }
+        verifierJwsService = DefaultVerifierJwsService(publicKeyLookup = publicKeyLookup)
+        verifierJwsService.verifyJwsObject(signed) shouldBe true
+    }
+
     "encrypted object can be decrypted" {
         val stringPayload = vckJsonSerializer.encodeToString(randomPayload)
         val encrypted = jwsService.encryptJweObject(