update packages (#89)

* update packages

Signed-off-by: Mirko Mollik <[email protected]>

* fix: update sphereon packages

Signed-off-by: Mirko Mollik <[email protected]>

* update sphereon libraries

Signed-off-by: Mirko Mollik <[email protected]>

* update nx

Signed-off-by: Mirko Mollik <[email protected]>

* update lockfile

Signed-off-by: Mirko Mollik <[email protected]>

* fix: containers

Signed-off-by: Mirko Mollik <[email protected]>

* add pex package

Signed-off-by: Mirko Mollik <[email protected]>

* fix: tests

Signed-off-by: Mirko Mollik <[email protected]>

---------

Signed-off-by: Mirko Mollik <[email protected]>

apps/holder-app-e2e/global-setup.ts

@@ -5,7 +5,6 @@ import {
   IssuerBackend,
   VerifierBackend,
 } from '@credhub/testing';
-import { appendFileSync } from 'fs';
 
 export interface GlobalConfig {
   holderFrontendPort: number;
@@ -27,13 +26,14 @@ export interface GlobalThisConfig {
 }
 
 export default async function globalSetup() {
-  if (process.env['NO_CONTAINER']) {
+  if (process.env['NO_CONTAINER'] === 'true') {
     process.env[CONFIG_KEY] = JSON.stringify({
       holderFrontendPort: 4200,
       keycloakPort: 8080,
       verifierPort: 3002,
       issuerPort: 3001,
     } as GlobalConfig);
+    return;
   }
 
   const keycloak = await Keycloak.init();

apps/holder-app-e2e/global-teardown.ts

@@ -1,7 +1,7 @@
 import { GlobalThisConfig } from './global-setup';
 
 export default async function globalTeardown() {
-  if (process.env['NO_CONTAINER']) {
+  if (process.env['NO_CONTAINER'] === 'true') {
     return;
   }
   const config = (globalThis as unknown as GlobalThisConfig).config;

apps/holder-app-e2e/project.json

@@ -5,5 +5,9 @@
   "sourceRoot": "apps/holder-app-e2e/src",
   "implicitDependencies": ["holder-app"],
   "// targets": "to see all targets run: nx show project holder-app-e2e --web",
-  "targets": {}
+  "targets": {
+    "dev": {
+      "command": "cd apps/holder-app-e2e && playwright test --ui"
+    }
+  }
 }

apps/holder-app-e2e/src/credentials.spec.ts

@@ -65,10 +65,10 @@ async function receiveCredential(pin = false) {
   const userPin = response.data.userPin;
   await page.evaluate(`navigator.clipboard.writeText("${uri}")`);
   await page.goto(`${hostname}/scan`);
-  const menu = await page.waitForSelector('#menu');
-  await menu.click();
-  const inserButton = await page.waitForSelector('#insert');
-  await inserButton.click();
+  //TODO: when we have the permission, we can direclty paste the uri into the input field. We should also check the case when the user did not give the permission or use the input option.
+  /** await page.waitForSelector('#menu').then((menu) => menu.click());
+  await page.waitForSelector('#insert').then((button) => button.click());
+  **/
   if (userPin) {
     await page
       .waitForSelector('#pin-field')
@@ -109,8 +109,8 @@ test('verify credential', async () => {
   }
   await page.evaluate(`navigator.clipboard.writeText("${uri}")`);
   await page.goto(`${hostname}/scan`);
-  await page.waitForSelector('#menu').then((menu) => menu.click());
-  await page.waitForSelector('#insert').then((button) => button.click());
+  /**await page.waitForSelector('#menu').then((menu) => menu.click());
+  await page.waitForSelector('#insert').then((button) => button.click());**/
   await page.waitForSelector('#match');
   await page.click('mat-list-option');
   await page.click('#send');

apps/holder-app/src/app/scanner/scanner.component.ts

@@ -53,7 +53,20 @@ export class ScannerComponent implements OnInit, OnDestroy {
   /**
    * Init the scanner
    */
-  ngOnInit(): void {
+  async ngOnInit(): Promise<void> {
+    //check if there is a string already in the clipboard, if so, automaticall start the flow
+    if (this.readFromClipboard && document.hasFocus()) {
+      await navigator.clipboard.readText().then((text) => {
+        if (text.startsWith('openid-credential-offer://')) {
+          this.showRequest(text, 'receive');
+        } else if (text.startsWith('openid://')) {
+          this.showRequest(text, 'send');
+        }
+      });
+      this.loading = false;
+      return;
+    }
+
     this.status = 'scanning';
     this.loading = true;
     // This method will trigger user permissions
@@ -171,9 +184,7 @@ export class ScannerComponent implements OnInit, OnDestroy {
     navigator.clipboard.readText().then(
       (text) => this.onScanSuccess(text),
       () =>
-        alert(
-          'CUnable to read from clipboard, have you granted the permission?'
-        )
+        alert('Unable to read from clipboard, have you granted the permission?')
     );
   }
 

apps/holder-backend/Dockerfile

@@ -15,7 +15,7 @@ COPY pnpm-lock.yaml ./
 COPY patches ./patches
 
 # Install pnpm and dependencies
-RUN npm install -g pnpm@8.15.8 && \
+RUN npm install -g pnpm@9.5.0 && \
     pnpm install --prod
 
 # Stage 2: Prepare the runtime image

apps/holder-backend/package.json

@@ -1,13 +1,11 @@
 {
   "dependencies": {
-    "@sphereon/pex": "^3.3.3",
-    "@sphereon/oid4vci-client": "^0.14.0",
     "pg": "^8.11.5"
   },
   "pnpm": {
     "patchedDependencies": {
       "@sphereon/[email protected]": "patches/@[email protected]",
-      "@sphereon/oid4vci-client@0.14.0": "patches/@sphereon__oid4vci-client@0.14.0.patch"
+      "@sphereon/oid4vci-client@0.15.1": "patches/@sphereon__oid4vci-client@0.15.1.patch"
     }
   }
 }

apps/holder-backend/src/app/keys/db-keys.service.ts

@@ -22,6 +22,7 @@ import { Key } from './entities/key.entity';
 import { KeysService } from './keys.service';
 import { OnEvent } from '@nestjs/event-emitter';
 import { USER_DELETED_EVENT, UserDeletedEvent } from '../auth/auth.service';
+import { calculateJwkThumbprintUri } from '@sphereon/did-auth-siop';
 
 @Injectable()
 export class DbKeysService extends KeysService {
@@ -51,6 +52,8 @@ export class DbKeysService extends KeysService {
     key.user = user;
     key.privateKey = privateKey as unknown as JsonWebKey;
     key.publicKey = publicKey as unknown as JsonWebKey;
+    key.publicKey.alg = createKeyDto.type;
+    key.privateKey.alg = createKeyDto.type;
     const entity = await this.keyRepository.save(key);
     return {
       id: entity.id,
@@ -71,17 +74,26 @@ export class DbKeysService extends KeysService {
     return this.keyRepository
       .findOneOrFail({ where: { id, user } })
       .then(async (key) => {
-        const jwk = await importJWK(key.privateKey, 'ES256');
+        const jwk = await importJWK(
+          key.privateKey,
+          key.privateKey.alg as string
+        );
         const header = JSON.parse(
           this.decodeBase64Url(value.data.split('.')[0])
         ) as JWTHeaderParameters;
+        //add the key to the header
+        header.jwk = key.publicKey;
+
         const payload = JSON.parse(
           this.decodeBase64Url(value.data.split('.')[1])
         ) as JWTPayload;
+        //required by siop
+        payload.sub_jwk = await calculateJwkThumbprintUri(key.publicKey);
+
         const jwt = await new SignJWT(payload)
           .setProtectedHeader(header)
           .sign(jwk);
-        return jwt.split('.')[2];
+        return jwt;
       });
   }
 

apps/holder-backend/src/app/keys/keys.service.ts

@@ -19,15 +19,6 @@ export abstract class KeysService {
     kbJwt: SdJwtKbJwtInput,
     aud: string
   ): Promise<string>;
-  /**
-   * Encodes a public key as a DID JWK.
-   * @param key
-   */
-  encodeDidJWK(key: JsonWebKey) {
-    return `did:jwk:${Buffer.from(JSON.stringify(key)).toString(
-      'base64url'
-    )}#0`;
-  }
 
   /**
    * Decodes a base64url to a string.

apps/holder-backend/src/app/keys/vault-keys.service.ts

@@ -136,9 +136,11 @@ export class VaultKeysService extends KeysService {
         },
         this.headers
       )
-    ).then((res) =>
-      this.derToJwtSignature(res.data.data.signature.split(':')[2])
-    );
+    )
+      .then((res) =>
+        this.derToJwtSignature(res.data.data.signature.split(':')[2])
+      )
+      .then((signature) => `${value.data}.${signature}`);
   }
 
   /**

apps/holder-backend/src/app/oid4vc/oid4vp/oid4vp.service.ts

@@ -7,24 +7,28 @@ import {
   PresentationExchange,
   type PresentationSignCallback,
   ResponseIss,
-  SigningAlgo,
   SupportedVersion,
   VPTokenLocation,
   type VerifiedAuthorizationRequest,
   RPRegistrationMetadataPayload,
+  JwtHeader,
+  JwtIssuerWithContext,
+  JwtPayload,
+  JwtVerifier,
+  CreateJwtCallback,
+  VerifyJwtCallback,
 } from '@sphereon/did-auth-siop';
-import { SdJwtDecodedVerifiableCredentialWithKbJwtInput } from '@sphereon/pex';
 import { v4 as uuid } from 'uuid';
 import { Oid4vpParseRepsonse } from './dto/parse-response.dto';
 import { Oid4vpParseRequest } from './dto/parse-request.dto';
 import { CompactSdJwtVc } from '@sphereon/ssi-types';
 import { CredentialsService } from '../../credentials/credentials.service';
 import { HistoryService } from '../../history/history.service';
 import { KeysService } from '../../keys/keys.service';
-import { JWkResolver } from '@credhub/relying-party-shared';
 import { InjectRepository } from '@nestjs/typeorm';
 import { Repository } from 'typeorm';
 import { VPSessionEntity } from './entities/vp-session.entity';
+import { jwtVerify, importJWK, JWK, KeyLike } from 'jose';
 
 @Injectable()
 export class Oid4vpService {
@@ -156,9 +160,7 @@ export class Oid4vpService {
      * @returns
      */
     const presentationSignCallback: PresentationSignCallback = async (args) => {
-      const kbJwt = (
-        args.presentation as SdJwtDecodedVerifiableCredentialWithKbJwtInput
-      ).kbJwt;
+      const kbJwt = args.presentation.kbJwt;
       args.selectedCredentials[0];
       const aud = verifiedAuthReqWithJWT.authorizationRequest.payload.client_id;
       const cnf = args.presentation.decodedPayload.cnf;
@@ -235,23 +237,67 @@ export class Oid4vpService {
 
   private async getOp(user: string) {
     const key = await this.keysService.firstOrCreate(user);
-    const did = this.keysService.encodeDidJWK(key.publicKey);
-    const kid = key.id;
-    const alg = SigningAlgo.ES256;
 
-    const withSuppliedSignature = async (data: string | Uint8Array) => {
-      const signature = await this.keysService.sign(kid, user, {
-        data: data as string,
+    const createJwtCallback: CreateJwtCallback = async (
+      jwtIssuer: JwtIssuerWithContext,
+      jwt: { header: JwtHeader; payload: JwtPayload }
+    ) => {
+      console.log(jwtIssuer);
+      jwt.header.alg = key.publicKey.alg;
+      jwt.header.kid = key.id;
+      jwt.header.typ = 'JWT';
+
+      //encode the header and payload to be signed by the key
+      const header = Buffer.from(JSON.stringify(jwt.header)).toString(
+        'base64url'
+      );
+      const payload = Buffer.from(JSON.stringify(jwt.payload)).toString(
+        'base64url'
+      );
+      const data = `${header}.${payload}`;
+      return this.keysService.sign(key.id, user, {
+        data,
       });
-      return signature;
+    };
+
+    const presentationSignCallback: PresentationSignCallback = async (args) => {
+      console.log(args);
+      throw Error('Not implemented');
+    };
+
+    const verifyJwtCallback: VerifyJwtCallback = async (
+      jwtVerifier: JwtVerifier,
+      jwt: { header: JwtHeader; payload: JwtPayload; raw: string }
+    ) => {
+      let key: KeyLike;
+      if (jwtVerifier.method === 'jwk') {
+        // verify jwk certificate protected jwt's
+        key = (await importJWK(
+          jwtVerifier.jwk as JWK,
+          jwtVerifier.jwk.alg
+        )) as KeyLike;
+      } else {
+        // Only called if based on the jwt the verification method could not be determined
+        throw new Error(
+          `Unsupported JWT verifier method ${jwtVerifier.method}`
+        );
+      }
+      return jwtVerify(jwt.raw, key).then(
+        () => true,
+        (err) => {
+          console.log(err);
+          return false;
+        }
+      );
     };
 
     return OP.builder()
       .withExpiresIn(1000)
       .withHasher(digest)
+      .withCreateJwtCallback(createJwtCallback)
+      .withPresentationSignCallback(presentationSignCallback)
+      .withVerifyJwtCallback(verifyJwtCallback)
       .withIssuer(ResponseIss.SELF_ISSUED_V2)
-      .addResolver('jwk', new JWkResolver())
-      .withSuppliedSignature(withSuppliedSignature, did, kid, alg)
       .withSupportedVersions(SupportedVersion.SIOPv2_D12_OID4VP_D18)
       .build();
   }

apps/issuer-backend/Dockerfile

@@ -15,7 +15,7 @@ COPY pnpm-lock.yaml ./
 COPY patches ./patches
 
 # Install pnpm and dependencies
-RUN npm install -g pnpm@8.15.8 && \
+RUN npm install -g pnpm@9.5.0 && \
     pnpm install --prod
 
 # Stage 2: Prepare the runtime image

apps/issuer-backend/package.json

@@ -2,15 +2,13 @@
   "dependencies": {
     "sqlite3": "^5.1.7",
     "pg": "^8.11.5",
-    "@sphereon/pex": "^3.3.3",
     "@sphereon/ssi-express-support": "0.26.0",
-    "@sphereon/oid4vci-issuer": "^0.14.0"
+    "@sphereon/oid4vci-issuer": "^0.15.1"
   },
   "pnpm": {
     "patchedDependencies": {
-      "@sphereon/[email protected]": "patches/@[email protected]",
       "@sphereon/[email protected]": "patches/@[email protected]",
-      "@sphereon/oid4vci-issuer@0.14.0": "patches/@sphereon__oid4vci-issuer@0.14.0.patch"
+      "@sphereon/oid4vci-issuer@0.15.1": "patches/@sphereon__oid4vci-issuer@0.15.1.patch"
     }
   }
 }

apps/issuer-backend/src/app/issuer/entities/credential-offer-session.entity.ts

@@ -16,8 +16,8 @@ export class CredentialOfferSessionEntity implements CredentialOfferSession {
   credentialOffer: AssertedUniformCredentialOffer;
   @Column({ nullable: true, type: 'json' })
   credentialDataSupplierInput?: unknown;
-  @Column({ nullable: true })
-  txCode?: string;
+  @Column({ nullable: true, type: 'json' })
+  txCode?: any;
   @Column({ nullable: true })
   userPin?: string;
   @Column()