Implemented key attestation in openid4vci + misc. fixes.

Signed-off-by: Peter Sorotokin <[email protected]>
openwallet-foundation-labs · Oct 11, 2024 · ce913e8 · ce913e8
1 parent 07ed648
commit ce913e8
Show file tree

Hide file tree

Showing 24 changed files with 611 additions and 298 deletions.
diff --git a/identity-flow/src/main/java/com/android/identity/flow/handler/FlowExceptionMap.kt b/identity-flow/src/main/java/com/android/identity/flow/handler/FlowExceptionMap.kt
@@ -18,6 +18,12 @@ class FlowExceptionMap private constructor(
         private val byClass = mutableMapOf<KClass<out Throwable>, Item<*>>()
         private val byId = mutableMapOf<String, Item<*>>()
 
+        init {
+            // This exception is the part of the framework and is always supported.
+            // TODO: consider adding some Kotlin exceptions (they'd need cbor serialization).
+            InvalidRequestException.register(this)
+        }
+
         fun <ExceptionT : Throwable> addException(
             exceptionId: String,
             serializer: (ExceptionT) -> DataItem,

diff --git a/identity-flow/src/main/java/com/android/identity/flow/handler/InvalidRequestException.kt b/identity-flow/src/main/java/com/android/identity/flow/handler/InvalidRequestException.kt
@@ -0,0 +1,10 @@
+package com.android.identity.flow.handler
+
+import com.android.identity.cbor.annotation.CborSerializable
+import com.android.identity.flow.annotation.FlowException
+
+@FlowException
+@CborSerializable
+class InvalidRequestException(message: String?) : RuntimeException(message) {
+    companion object
+}
diff --git a/identity-issuance/src/main/java/com/android/identity/issuance/ApplicationSupport.kt b/identity-issuance/src/main/java/com/android/identity/issuance/ApplicationSupport.kt
@@ -12,11 +12,8 @@ import com.android.identity.securearea.KeyAttestation
 @FlowInterface
 interface ApplicationSupport : FlowNotifiable<LandingUrlNotification> {
     /**
-     * Creates a "landing" URL suitable for web redirects. When a landing URL is navigated to,
-     * [LandingUrlNotification] is sent to the client.
-     *
-     * NB: this method returns the relative URL, server base URL should be prepended to it before
-     * use.
+     * Creates a "landing" absolute URL suitable for web redirects. When a landing URL is
+     * navigated to, [LandingUrlNotification] is sent to the client.
      */
     @FlowMethod
     suspend fun createLandingUrl(): String
@@ -25,10 +22,10 @@ interface ApplicationSupport : FlowNotifiable<LandingUrlNotification> {
      * Returns the query portion of the URL which was actually used when navigating to a landing
      * URL, or null if navigation did not occur yet.
      *
-     * [relativeUrl] relative URL of the landing page as returned by [createLandingUrl].
+     * [landingUrl] URL of the landing page as returned by [createLandingUrl].
      */
     @FlowMethod
-    suspend fun getLandingUrlStatus(relativeUrl: String): String?
+    suspend fun getLandingUrlStatus(landingUrl: String): String?
 
     /**
      * Creates OAuth JWT client assertion based on the mobile-platform-specific [KeyAttestation].
@@ -38,4 +35,14 @@ interface ApplicationSupport : FlowNotifiable<LandingUrlNotification> {
         clientAttestation: KeyAttestation,
         targetIssuanceUrl: String
     ): String
+
+    /**
+     * Creates OAuth JWT key attestation based on the given list of mobile-platform-specific
+     * [KeyAttestation]s.
+     */
+    @FlowMethod
+    suspend fun createJwtKeyAttestation(
+        keyAttestations: List<KeyAttestation>,
+        nonce: String
+    ): String
 }
diff --git a/...-issuance/src/main/java/com/android/identity/issuance/funke/AbstractRequestCredentials.kt b/...-issuance/src/main/java/com/android/identity/issuance/funke/AbstractRequestCredentials.kt
@@ -0,0 +1,19 @@
+package com.android.identity.issuance.funke
+
+import com.android.identity.cbor.annotation.CborSerializable
+import com.android.identity.flow.annotation.FlowState
+import com.android.identity.issuance.CredentialConfiguration
+import com.android.identity.issuance.CredentialFormat
+import com.android.identity.issuance.RequestCredentialsFlow
+
+@FlowState(
+    flowInterface = RequestCredentialsFlow::class
+)
+abstract class AbstractRequestCredentials(
+    val documentId: String,
+    val credentialConfiguration: CredentialConfiguration,
+    val nonce: String,
+    var format: CredentialFormat? = null,
+) {
+    companion object
+}
diff --git a/identity-issuance/src/main/java/com/android/identity/issuance/funke/FunkeIssuerDocument.kt b/identity-issuance/src/main/java/com/android/identity/issuance/funke/FunkeIssuerDocument.kt
@@ -5,20 +5,15 @@ import com.android.identity.issuance.CredentialData
 import com.android.identity.issuance.DocumentCondition
 import com.android.identity.issuance.DocumentConfiguration
 import com.android.identity.issuance.RegistrationResponse
-import com.android.identity.issuance.evidence.EvidenceRequestSetupCloudSecureArea
-import com.android.identity.issuance.evidence.EvidenceResponseGermanEid
-import com.android.identity.securearea.SecureArea
-import kotlinx.datetime.Instant
 
 @CborSerializable
 data class FunkeIssuerDocument(
     val registrationResponse: RegistrationResponse,
-    var state: DocumentCondition,
-    var access: FunkeAccess?,
-    var documentConfiguration: DocumentConfiguration?,
-    var secureAreaIdentifier: String?,
-    val credentialRequests: MutableList<FunkeCredentialRequest>,
-    val credentials: MutableList<CredentialData>
+    var state: DocumentCondition = DocumentCondition.PROOFING_REQUIRED,
+    var access: FunkeAccess? = null,
+    var documentConfiguration: DocumentConfiguration? = null,
+    var secureAreaIdentifier: String? = null,
+    val credentials: MutableList<CredentialData> = mutableListOf()
 ) {
     companion object
-}
+}