Merge branch 'main' into test/make-podman-work

Author: erik-eriksson34

.mise.toml

@@ -19,7 +19,7 @@ PIP_INDEX_URL = "{{ get_env(name='PIP_INDEX_URL', default='') }}"
 java = "temurin-21"
 maven = "3.9"
 "aqua:casey/just" = "1.43.0"
-"aqua:rhysd/actionlint" = "v1.7.8"
+"aqua:rhysd/actionlint" = "v1.7.11"
 "aqua:siderolabs/conform" = "v0.1.0-alpha.30"
 "aqua:zricethezav/gitleaks" = "v8.29.1"
 "ubi:rvben/rumdl" = "v0.0.173"

DEVELOPMENT.md

@@ -237,6 +237,62 @@ mvn test -Dtest.excludes='TraefikTest,WalletAccountTest,WalletAttributeAttestati
 The command above will run all test cases except
 TraefikTest, WalletAccountTest and WalletAttributeAttestationTest.
 
+#### Checking that the verifier rejects untrusted issuers
+
+In `VerifierBackendTest` we have a way to check that
+the local verifier rejects credentials issued by an untrusted party.
+Specifically, that the verifier reject credentials issued by
+a party not in the configured list of trust sources. There are two tests related
+to this:
+
+1. `rejectsUntrustedPidIssuer`
+2. `rejectsCredentialFromUntrustedSource`
+
+The first one requires a live, but untrusted, environment
+and the second one uses pre-generated credentials known to be untrusted.
+Since the first test requires a live environment it is disabled by default.
+
+You can run it like so:
+
+```shell
+env \
+	DIGG_WALLET_ECOSYSTEM_INCLUDE_TESTS_WITH_UNTRUSTED_ISSUER=true \
+	DIGG_WALLET_ECOSYSTEM_UNTRUSTED_WALLET_PROVIDER_BASE_URI=https://example.com/untrusted-wallet-provider \
+	DIGG_WALLET_ECOSYSTEM_UNTRUSTED_PID_ISSUER_BASE_URI=https://example.com/untrusted-pid-issuer \
+	DIGG_WALLET_ECOSYSTEM_UNTRUSTED_KEYCLOAK_BASE_URI=https://example.com/untrusted-idp \
+	mvn test -Dtest=VerifierBackendTest#rejectsUntrustedPidIssuer
+```
+
+The live test can be used to generate data for the second test.
+In order to do so, we can manipulate the certificates
+so that they are not trusted by the verifier.
+
+```shell
+# Remove the root CA so that a new one is generated
+rm config/certificates/rootca/*
+
+# Generate new keystores for all services
+config/certificates/generate_keystores.sh
+
+# Use the existing trusted issuers instead of the newly generated ones
+git checkout config/certificates/verifier/trusted_issuers.p12
+
+# Restart environment
+docker compose restart
+
+# Run test
+env \
+	DIGG_WALLET_ECOSYSTEM_INCLUDE_TESTS_WITH_UNTRUSTED_ISSUER=true \
+	DIGG_WALLET_ECOSYSTEM_UNTRUSTED_WALLET_PROVIDER_BASE_URI=https://localhost/wallet-provider \
+	DIGG_WALLET_ECOSYSTEM_UNTRUSTED_PID_ISSUER_BASE_URI=https://localhost/pid-issuer \
+	DIGG_WALLET_ECOSYSTEM_UNTRUSTED_KEYCLOAK_BASE_URI=https://localhost/idp \
+	mvn test -Dtest=VerifierBackendTest#rejectsUntrustedPidIssuer
+```
+
+The test will print the credentials and signing key to standard out
+and this data can be copied into the corresponding variable values
+of the `rejectsCredentialFromUntrustedSource` test method.
+
 ### Quality Checks
 
 This project uses `just` + `mise` for local quality checks.

docker-compose.yaml

@@ -48,7 +48,7 @@ services:
       - wallet-ecosystem-network
 
   wallet-provider:
-    image: ghcr.io/diggsweden/wallet-provider:v0.0.6
+    image: ghcr.io/diggsweden/wallet-provider:v0.0.7
     container_name: wallet-provider
     hostname: wallet-provider
     volumes:
@@ -115,19 +115,16 @@ services:
       - ISSUER_CREDENTIALRESPONSEENCRYPTION_REQUIRED=true
       - ISSUER_CREDENTIALRESPONSEENCRYPTION_ALGORITHMSSUPPORTED=ECDH-ES
       - ISSUER_CREDENTIALRESPONSEENCRYPTION_ENCRYPTIONMETHODS=A128GCM
-      - ISSUER_PID_MSO_MDOC_ENABLED=true
-      - ISSUER_PID_MSO_MDOC_ENCODER_DURATION=P30D
-      - ISSUER_PID_MSO_MDOC_NOTIFICATIONS_ENABLED=true
+      - ISSUER_PID_MSO_MDOC_ENABLED=false
       - ISSUER_PID_SD_JWT_VC_ENABLED=true
       - ISSUER_PID_SD_JWT_VC_NOTUSEBEFORE=PT20S
       - ISSUER_PID_SD_JWT_VC_NOTIFICATIONS_ENABLED=true
       - ISSUER_PID_SD_JWT_VC_KEY_ATTESTATIONS_REQUIRED=true
       - ISSUER_PID_ISSUINGCOUNTRY=SE
       - ISSUER_PID_ISSUINGJURISDICTION=SE-Y # Västernorrland
-      - ISSUER_EHIC_ISSUINGCOUNTRY=SE
-      - ISSUER_MDL_ENABLED=true
-      - ISSUER_MDL_MSO_MDOC_ENCODER_DURATION=P5D
-      - ISSUER_MDL_NOTIFICATIONS_ENABLED=true
+      - ISSUER_EHIC_ENABLED=false
+      - ISSUER_MDL_ENABLED=false
+      - ISSUER_LEARNINGCREDENTIAL_ENABLED=false
       - ISSUER_CREDENTIALOFFER_URI=openid-credential-offer://
       - ISSUER_SIGNING_KEY=LoadFromKeystore
       - ISSUER_SIGNING_KEY_KEYSTORE=file:///opt/common/pid_issuer.p12
@@ -287,7 +284,7 @@ services:
       - wallet-ecosystem-network
 
   wallet-client-gateway:
-    image: ghcr.io/diggsweden/wallet-client-gateway:v0.4.4
+    image: ghcr.io/diggsweden/wallet-client-gateway:v0.4.5
     container_name: wallet-client-gateway
     hostname: wallet-client-gateway
     volumes:

package-lock.json

@@ -1,7 +1,7 @@
 {
   "name": "wallet-ecosystem",
   "devDependencies": {
-    "@prettier/plugin-xml": "^3.4.2",
-    "prettier": "^3.6.2"
+    "@prettier/plugin-xml": "3.4.2",
+    "prettier": "3.6.2"
   }
 }

package.json

@@ -37,7 +37,7 @@ public class EndToEndTest {
       "wallet-unit-attestation/v2"
   })
   void getCredential(String wuaPath) throws Exception {
-    IssuanceHelper issuanceHelper = new IssuanceHelper(new WalletProviderClient(wuaPath));
+    IssuanceAgent issuer = new IssuanceAgent(new WalletProviderClient(wuaPath));
     // 1. Initialize transaction
     String nonce = UUID.randomUUID().toString();
     String dcqlId = UUID.randomUUID().toString();
@@ -62,12 +62,11 @@ void getCredential(String wuaPath) throws Exception {
             .keyUse(KeyUse.SIGNATURE)
             .generate();
 
-    String sdJwtVc = issuanceHelper.issuePidCredential(bindingKey, "tneal", "password");
+    String sdJwtVc = issuer.issuePidCredential(bindingKey, "tneal", "password");
 
     // 4. Create vp_token
     String vpToken =
-        issuanceHelper.createVpToken(
-            sdJwtVc, bindingKey, nonce, VerifierBackendClient.VERIFIER_AUDIENCE);
+        VerifiablePresentationToken.asString(sdJwtVc, bindingKey, nonce);
 
     // 5. Post wallet response
     String vpTokenJson = String.format("{ \"%s\": [ \"%s\" ] }", dcqlId, vpToken);

src/test/java/se/digg/wallet/ecosystem/EndToEndTest.java

@@ -16,51 +16,45 @@
 import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
 import java.time.Instant;
-import java.util.Base64;
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
 
-public class IssuanceHelper {
+public class IssuanceAgent {
 
-  private final KeycloakClient keycloak = new KeycloakClient();
+  static IssuanceAgent untrusted() {
+    return new IssuanceAgent(
+        new KeycloakClient(ServiceIdentifier.UNTRUSTED_KEYCLOAK.getResourceRoot()),
+        new WalletProviderClient(ServiceIdentifier.UNTRUSTED_WALLET_PROVIDER.getResourceRoot()),
+        new PidIssuerClient(ServiceIdentifier.UNTRUSTED_PID_ISSUER.getResourceRoot()),
+        ServiceIdentifier.UNTRUSTED_PID_ISSUER.toString());
+  }
+
+  private final KeycloakClient keycloak;
   private final WalletProviderClient walletProvider;
-  private final PidIssuerClient pidIssuer = new PidIssuerClient();
+  private final PidIssuerClient pidIssuer;
+  private final String audience;
 
-  public IssuanceHelper() {
+  public IssuanceAgent() {
     this(new WalletProviderClient());
   }
 
-  public IssuanceHelper(WalletProviderClient walletProvider) {
-    this.walletProvider = walletProvider;
+  public IssuanceAgent(WalletProviderClient walletProvider) {
+    this(new KeycloakClient(), walletProvider, new PidIssuerClient(),
+        ServiceIdentifier.PID_ISSUER.toString());
   }
 
-  public String createVpToken(String sdJwtVc, ECKey bindingKey, String nonce, String audience)
-      throws Exception {
-    MessageDigest digest = MessageDigest.getInstance("SHA-256");
-    byte[] hash = digest.digest(sdJwtVc.getBytes(StandardCharsets.UTF_8));
-    String sdHash = Base64.getUrlEncoder().withoutPadding().encodeToString(hash);
+  public IssuanceAgent(
+      KeycloakClient keycloak,
+      WalletProviderClient walletProvider,
+      PidIssuerClient pidIssuer,
+      String audience) {
 
-    JWTClaimsSet kbJwtClaims =
-        new JWTClaimsSet.Builder()
-            .audience(audience)
-            .issueTime(Date.from(Instant.now()))
-            .claim("nonce", nonce)
-            .claim("sd_hash", sdHash)
-            .build();
-    SignedJWT kbJwt =
-        new SignedJWT(
-            new JWSHeader.Builder(JWSAlgorithm.ES256)
-                .jwk(bindingKey.toPublicJWK())
-                .type(new JOSEObjectType("kb+jwt"))
-                .build(),
-            kbJwtClaims);
-    kbJwt.sign(new ECDSASigner(bindingKey));
-    String kbJwtSerialized = kbJwt.serialize();
-    return sdJwtVc + kbJwtSerialized;
+    this.keycloak = keycloak;
+    this.walletProvider = walletProvider;
+    this.pidIssuer = pidIssuer;
+    this.audience = audience;
   }
 
   public String issuePidCredential(ECKey bindingKey, String username, String password)
@@ -107,7 +101,7 @@ private String createProof(ECKey jwk, String wua, String nonce) throws JOSEExcep
     JWTClaimsSet claims =
         new JWTClaimsSet.Builder()
             .issuer(jwk.toPublicJWK().toString())
-            .audience(ServiceIdentifier.PID_ISSUER.toString())
+            .audience(audience)
             .issueTime(Date.from(Instant.now()))
             .claim("nonce", nonce)
             .build();

…igg/wallet/ecosystem/IssuanceHelper.java …digg/wallet/ecosystem/IssuanceAgent.javasrc/test/java/se/digg/wallet/ecosystem/IssuanceHelper.java renamed to src/test/java/se/digg/wallet/ecosystem/IssuanceAgent.java src/test/java/se/digg/wallet/ecosystem/IssuanceHelper.java renamed to src/test/java/se/digg/wallet/ecosystem/IssuanceAgent.java

@@ -38,7 +38,11 @@ public class PidIssuerClient {
   private final URI base;
 
   public PidIssuerClient() {
-    base = ServiceIdentifier.PID_ISSUER.getResourceRoot();
+    this(ServiceIdentifier.PID_ISSUER.getResourceRoot());
+  }
+
+  public PidIssuerClient(URI base) {
+    this.base = base;
   }
 
   public Response tryGetOpenIdCredentialIssuerMetadata(MetadataLocationStrategy strategy) {

src/test/java/se/digg/wallet/ecosystem/PidIssuerClient.java

@@ -8,32 +8,31 @@
 import java.util.Optional;
 
 public enum ServiceIdentifier {
-  KEYCLOAK("https://localhost/idp",
-      "DIGG_WALLET_ECOSYSTEM_KEYCLOAK_BASE_URI"),
-  PID_ISSUER("https://localhost/pid-issuer",
-      "DIGG_WALLET_ECOSYSTEM_PID_ISSUER_BASE_URI"),
-  WALLET_PROVIDER("https://localhost/wallet-provider",
-      "DIGG_WALLET_ECOSYSTEM_WALLET_PROVIDER_BASE_URI"),
-  VERIFIER_BACKEND("https://localhost/refimpl-verifier-backend",
-      "DIGG_WALLET_ECOSYSTEM_VERIFIER_BACKEND_BASE_URI"),
-  VERIFIER_FRONTEND("https://localhost/demo-verifier",
-      "DIGG_WALLET_ECOSYSTEM_VERIFIER_FRONTEND_BASE_URI"),
-  WALLET_CLIENT_GATEWAY("https://localhost/wallet-client-gateway",
-      "DIGG_WALLET_ECOSYSTEM_WALLET_CLIENT_GATEWAY_BASE_URI");
+  KEYCLOAK("https://localhost/idp"),
+  UNTRUSTED_KEYCLOAK("https://localhost/untrusted-idp"),
+  PID_ISSUER("https://localhost/pid-issuer"),
+  UNTRUSTED_PID_ISSUER("https://localhost/untrusted-pid-issuer"),
+  WALLET_PROVIDER("https://localhost/wallet-provider"),
+  UNTRUSTED_WALLET_PROVIDER("https://localhost/untrusted-wallet-provider"),
+  VERIFIER_BACKEND("https://localhost/refimpl-verifier-backend"),
+  VERIFIER_FRONTEND("https://localhost/demo-verifier"),
+  WALLET_CLIENT_GATEWAY("https://localhost/wallet-client-gateway");
 
   private final String defaultUri;
-  private final String environmentVariable;
 
-  ServiceIdentifier(String defaultUri, String environmentVariable) {
+  ServiceIdentifier(String defaultUri) {
     this.defaultUri = defaultUri;
-    this.environmentVariable = environmentVariable;
   }
 
   private String getValue() {
-    return Optional.ofNullable(System.getenv(environmentVariable))
+    return Optional.ofNullable(System.getenv(getEnvironmentVariableName()))
         .orElse(defaultUri);
   }
 
+  String getEnvironmentVariableName() {
+    return String.format("DIGG_WALLET_ECOSYSTEM_%s_BASE_URI", name());
+  }
+
   @Override
   public String toString() {
     return getValue();

src/test/java/se/digg/wallet/ecosystem/ServiceIdentifier.java

@@ -0,0 +1,43 @@
+// SPDX-FileCopyrightText: 2025 The Wallet Ecosystem Authors
+//
+// SPDX-License-Identifier: EUPL-1.2
+
+package se.digg.wallet.ecosystem;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static se.digg.wallet.ecosystem.ServiceIdentifier.KEYCLOAK;
+import static se.digg.wallet.ecosystem.ServiceIdentifier.PID_ISSUER;
+import static se.digg.wallet.ecosystem.ServiceIdentifier.UNTRUSTED_KEYCLOAK;
+import static se.digg.wallet.ecosystem.ServiceIdentifier.UNTRUSTED_PID_ISSUER;
+import static se.digg.wallet.ecosystem.ServiceIdentifier.UNTRUSTED_WALLET_PROVIDER;
+import static se.digg.wallet.ecosystem.ServiceIdentifier.VERIFIER_BACKEND;
+import static se.digg.wallet.ecosystem.ServiceIdentifier.VERIFIER_FRONTEND;
+import static se.digg.wallet.ecosystem.ServiceIdentifier.WALLET_CLIENT_GATEWAY;
+import static se.digg.wallet.ecosystem.ServiceIdentifier.WALLET_PROVIDER;
+import static se.digg.wallet.ecosystem.ServiceIdentifier.values;
+
+import java.util.Map;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.junit.jupiter.api.Test;
+
+class ServiceIdentifierTest {
+
+  @Test
+  void hasSpecificEnvironmentVariableNames() {
+    assertThat(Stream.of(values()).collect(
+        Collectors.toMap(Function.identity(), ServiceIdentifier::getEnvironmentVariableName)),
+        equalTo(Map.of(
+            KEYCLOAK, "DIGG_WALLET_ECOSYSTEM_KEYCLOAK_BASE_URI",
+            UNTRUSTED_KEYCLOAK, "DIGG_WALLET_ECOSYSTEM_UNTRUSTED_KEYCLOAK_BASE_URI",
+            PID_ISSUER, "DIGG_WALLET_ECOSYSTEM_PID_ISSUER_BASE_URI",
+            UNTRUSTED_PID_ISSUER, "DIGG_WALLET_ECOSYSTEM_UNTRUSTED_PID_ISSUER_BASE_URI",
+            WALLET_PROVIDER, "DIGG_WALLET_ECOSYSTEM_WALLET_PROVIDER_BASE_URI",
+            UNTRUSTED_WALLET_PROVIDER, "DIGG_WALLET_ECOSYSTEM_UNTRUSTED_WALLET_PROVIDER_BASE_URI",
+            VERIFIER_BACKEND, "DIGG_WALLET_ECOSYSTEM_VERIFIER_BACKEND_BASE_URI",
+            VERIFIER_FRONTEND, "DIGG_WALLET_ECOSYSTEM_VERIFIER_FRONTEND_BASE_URI",
+            WALLET_CLIENT_GATEWAY, "DIGG_WALLET_ECOSYSTEM_WALLET_CLIENT_GATEWAY_BASE_URI")));
+  }
+}