Merge branch 'main' of https://github.com/italia/eudi-wallet-it-python into fix/default_sig_enc_algs

PascalDR · PascalDR · commit 17dd894f50a9 · 2025-04-14T14:19:46.000+02:00
diff --git a/example/satosa/pyeudiw_backend.yaml b/example/satosa/pyeudiw_backend.yaml
@@ -122,13 +122,6 @@ config:
       x: Q46FDkhMjewZIP9qP8ZKZIP-ZEemctvjxeP0l3vWHMI
       y: IT7lsGxdJewmonk9l1_TAVYx_nixydTtI1Sbn0LkfEA
       alg: ES256
-    - crv: P-256
-      d: KzQBowMMoPmSZe7G8QsdEWc1IvR2nsgE8qTOYmMcLtc
-      kid: dDwPWXz5sCtczj7CJbqgPGJ2qQ83gZ9Sfs-tJyULi6s
-      use: sig
-      kty: EC
-      x: TSO-KOqdnUj5SUuasdlRB2VVFSqtJOxuR5GftUTuBdk
-      y: ByWgQt1wGBSnF56jQqLdoO1xKUynMY-BHIDB3eXlR7
     - kty: RSA
       d: QUZsh1NqvpueootsdSjFQz-BUvxwd3Qnzm5qNb-WeOsvt3rWMEv0Q8CZrla2tndHTJhwioo1U4NuQey7znijhZ177bUwPPxSW1r68dEnL2U74nKwwoYeeMdEXnUfZSPxzs7nY6b7vtyCoA-AjiVYFOlgKNAItspv1HxeyGCLhLYhKvS_YoTdAeLuegETU5D6K1xGQIuw0nS13Icjz79Y8jC10TX4FdZwdX-NmuIEDP5-s95V9DMENtVqJAVE3L-wO-NdDilyjyOmAbntgsCzYVGH9U3W_djh4t3qVFCv3r0S-DA2FD3THvlrFi655L0QHR3gu_Fbj3b9Ybtajpue_Q
       e: AQAB
@@ -189,8 +182,6 @@ config:
       - module: pyeudiw.openid4vp.vp_sd_jwt_vc
         class:  VpVcSdJwtParserVerifier
         format: dc+sd-jwt
-        config:
-          sig_alg_supported: *sig_alg_supported
       - module: pyeudiw.openid4vp.vp_mdoc_cbor
         class:  VpMDocCbor
         format: mso_mdoc
diff --git a/pyeudiw/federation/schemas/openid_credential_verifier.py b/pyeudiw/federation/schemas/openid_credential_verifier.py
@@ -1,5 +1,5 @@
 from enum import Enum
-from typing import List
+from typing import List, Union
 
 from pydantic import BaseModel, HttpUrl, PositiveInt
 
@@ -55,17 +55,17 @@ class OpenIDCredentialVerifier(BaseModel):
     client_name: str
     jwks: JwksSchema
     contacts: List[str]
-    request_uris: List[HttpUrl]
-    redirect_uris: List[HttpUrl]
-    default_acr_values: List[HttpUrl]
+    request_uris: Union[None, List[Union[HttpUrl, None]]]
+    redirect_uris: Union[None, List[Union[HttpUrl, None]]]
+    default_acr_values: List[Union[HttpUrl, None]]
     authorization_signed_response_alg: List[AuthorizationSignedResponseAlg]
     authorization_encrypted_response_alg: List[EncryptionAlgValuesSupported]
     authorization_encrypted_response_enc: List[EncryptionEncValuesSupported]
-    subject_type: str
-    require_auth_time: bool
+    # subject_type: str
+    # require_auth_time: bool
+    # default_max_age: PositiveInt
     id_token_encrypted_response_alg: List[EncryptionAlgValuesSupported]
     id_token_encrypted_response_enc: List[EncryptionEncValuesSupported]
     id_token_signed_response_alg: List[SigningAlgValuesSupported]
-    default_acr_values: List[AcrValuesSupported]
-    default_max_age: PositiveInt
+    default_acr_values: List[Union[AcrValuesSupported, None]]
     vp_formats: VpFormats
diff --git a/pyeudiw/openid4vp/authorization_request.py b/pyeudiw/openid4vp/authorization_request.py
@@ -50,7 +50,11 @@ def build_authorization_request_claims(
     """
 
     nonce = nonce or str(uuid.uuid4())
-
+    if authorization_config.get("auth_iss_id"):
+        _iss =  authorization_config["auth_iss_id"]
+    else:
+        _iss = client_id
+        
     claims = {
         "client_id_scheme": "http",  # that's federation.
         "client_id": client_id,
@@ -61,7 +65,7 @@ def build_authorization_request_claims(
         "response_uri": response_uri,
         "nonce": nonce,
         "state": state,
-        "iss": authorization_config.get("auth_iss_id", client_id),
+        "iss": _iss,
         "iat": iat_now(),
         "exp": exp_from_now(minutes=authorization_config["expiration_time"]),
     }
diff --git a/pyeudiw/openid4vp/presentation_submission/__init__.py b/pyeudiw/openid4vp/presentation_submission/__init__.py
@@ -23,6 +23,7 @@ def __init__(
             self, 
             config: dict,
             trust_evaluator: CombinedTrustEvaluator,
+            sig_alg_supported: list[str] = [],
         ) -> None:
         """
         Initialize the PresentationSubmissionHandler handler with the submission data.
@@ -64,7 +65,7 @@ def __init__(
                 if not issubclass(cls, BaseVPParser):
                      raise TypeError(f"Class '{class_name}' must inherit from BaseVPParser.")
                 
-                self.handlers[format_name] = cls(trust_evaluator=self.trust_evaluator, **module_config)
+                self.handlers[format_name] = cls(trust_evaluator=self.trust_evaluator, **module_config, sig_alg_supported=sig_alg_supported)
             except ModuleNotFoundError:
                 raise ImportError(f"Module '{module_name}' not found for format '{format_conf['name']}'.")
             except AttributeError:
diff --git a/pyeudiw/satosa/default/openid4vp_backend.py b/pyeudiw/satosa/default/openid4vp_backend.py
@@ -116,7 +116,8 @@ def __init__(
         credential_presentation_handlers_configuration = self.config.get("credential_presentation_handlers", {})
         self.vp_token_parser = PresentationSubmissionHandler(
             credential_presentation_handlers_configuration,
-            self.trust_evaluator
+            self.trust_evaluator,
+            self.config.get("jwt", {}).get("sig_alg_supported", [])
         )
 
     def get_trust_backend_by_class_name(self, class_name: str) -> TrustHandlerInterface:
diff --git a/pyeudiw/satosa/default/request_handler.py b/pyeudiw/satosa/default/request_handler.py
@@ -69,7 +69,6 @@ def request_endpoint(self, context: Context, *args) -> Response:
         }
 
         # load all the trust handlers request jwt header parameters, if any
-
         trust_params = self.trust_evaluator.get_jwt_header_trust_parameters(issuer=self.client_id)
         _protected_jwt_headers.update(trust_params)
 
diff --git a/pyeudiw/tests/openid4vp/test_presentation_submission.py b/pyeudiw/tests/openid4vp/test_presentation_submission.py
@@ -45,7 +45,11 @@
 
 def test_handler_initialization():
 
-    ps = PresentationSubmissionHandler(trust_evaluator=trust_ev, config=mock_format_config)
+    ps = PresentationSubmissionHandler(
+        trust_evaluator=trust_ev, 
+        config=mock_format_config,
+        sig_alg_supported=["ES256", "ES384", "ES512"]
+    )
 
     assert len(ps.handlers) == 3, "Not all handlers were created."
 
@@ -54,7 +58,11 @@ def test_handler_initialization():
     assert isinstance(ps.handlers["fail_parser"], MockFailingParser), "Handler for 'fail_parser' format is incorrect."
 
 def test_handler_correct_parsing():
-    ps = PresentationSubmissionHandler(trust_evaluator=trust_ev, config=mock_format_config)
+    ps = PresentationSubmissionHandler(
+        trust_evaluator=trust_ev, 
+        config=mock_format_config,
+        sig_alg_supported=["ES256", "ES384", "ES512"]
+    )
 
     parsed_tokens = ps.parse(valid_submission, ["vp_token_1", "vp_token_2"])
 
@@ -63,7 +71,10 @@ def test_handler_correct_parsing():
     assert parsed_tokens[1] == {"parsed": "vp_token_2"}, "Token 2 was not parsed correctly."
 
 def test_handler_missing_handler():
-    ps = PresentationSubmissionHandler(trust_evaluator=trust_ev, config=mock_format_config)
+    ps = PresentationSubmissionHandler(
+        trust_evaluator=trust_ev, 
+        config=mock_format_config,
+        sig_alg_supported=["ES256", "ES384", "ES512"])
 
     invalid_submission = {
         "id": "submission_id",
@@ -81,7 +92,11 @@ def test_handler_missing_handler():
         assert str(e) == "Handler for format 'non_existent_format' not found.", "Incorrect exception message."
 
 def test_handler_invalid_path():
-    ps = PresentationSubmissionHandler(trust_evaluator=trust_ev, config=mock_format_config)
+    ps = PresentationSubmissionHandler(
+        trust_evaluator=trust_ev, 
+        config=mock_format_config,
+        sig_alg_supported=["ES256", "ES384", "ES512"]
+    )
 
     invalid_submission = {
         "id": "submission_id",
@@ -99,7 +114,11 @@ def test_handler_invalid_path():
         assert str(e) == "Invalid path format: invalid_path", "Incorrect exception message."
 
 def test_handler_mismatched_tokens():
-    ps = PresentationSubmissionHandler(trust_evaluator=trust_ev, config=mock_format_config)
+    ps = PresentationSubmissionHandler(
+        trust_evaluator=trust_ev, 
+        config=mock_format_config,
+        sig_alg_supported=["ES256", "ES384", "ES512"]
+    )
 
     invalid_submission = {
         "id": "submission_id",
@@ -116,7 +135,11 @@ def test_handler_mismatched_tokens():
         assert str(e) == "Number of VP tokens (1) does not match the number of descriptors (2).", "Incorrect exception message."
 
 def test_handler_invalid_submission():
-    ps = PresentationSubmissionHandler(trust_evaluator=trust_ev, config=mock_format_config)
+    ps = PresentationSubmissionHandler(
+        trust_evaluator=trust_ev, 
+        config=mock_format_config,
+        sig_alg_supported=["ES256", "ES384", "ES512"]
+    )
 
     invalid_submission = {
         "fail": "submission"
@@ -130,7 +153,11 @@ def test_handler_invalid_submission():
         assert False, f"Incorrect exception type: {type(e)}"
         
 def test_handler_parser_failure():
-    ps = PresentationSubmissionHandler(trust_evaluator=trust_ev, config=mock_format_config)
+    ps = PresentationSubmissionHandler(
+        trust_evaluator=trust_ev, 
+        config=mock_format_config,
+        sig_alg_supported=["ES256", "ES384", "ES512"]
+    )
 
     invalid_submission = {
         "id": "submission_id",
diff --git a/pyeudiw/tests/settings.py b/pyeudiw/tests/settings.py
@@ -141,6 +141,13 @@ def base64url_to_int(val):
             "A192GCM",
             "A256GCM",
         ],
+        "sig_alg_supported": [
+            "RS256",
+            "ES256",
+            "ES384",
+            "ES512",
+            "EdDSA",
+        ],
     },
     "authorization": {
         "url_scheme": "haip",  # haip://
@@ -394,16 +401,7 @@ def base64url_to_int(val):
                 "module": "pyeudiw.openid4vp.vp_sd_jwt_vc",
                 "class": "VpVcSdJwtParserVerifier",
                 "format": "dc+sd-jwt",
-                "config": {
-                    "sig_alg_supported": [
-                            "RS256",
-                            "RS384",
-                            "RS512",
-                            "ES256",
-                            "ES384",
-                            "ES512",
-                    ]
-                }
+                "config": {}
             },
             {
                 "module": "pyeudiw.openid4vp.vp_mdoc_cbor",
diff --git a/pyeudiw/tests/trust/mock_trust_handler.py b/pyeudiw/tests/trust/mock_trust_handler.py
@@ -1,7 +1,6 @@
 from pyeudiw.trust.handler.interface import TrustHandlerInterface
 from pyeudiw.trust.model.trust_source import TrustSourceData
 from pyeudiw.trust.model.trust_source import TrustEvaluationType
-from datetime import datetime
 from pyeudiw.tools.utils import exp_from_now
 
 mock_jwk = {
@@ -55,19 +54,20 @@ def extract_and_update_trust_materials(
     ) -> TrustSourceData:
         trust_source = self.get_metadata(issuer, trust_source)
 
+
         if issuer == self.client_id:
             trust_param = TrustEvaluationType(
                 attribute_name="trust_param_name",
                 jwks=[mock_jwk, mock_jwk_private],
-                expiration_date=datetime.fromtimestamp(exp_from_now(self.exp)),
+                expiration_date=exp_from_now(self.exp),
                 trust_param_name={'trust_param_key': 'trust_param_value'},
                 trust_handler_name=str(self.__class__.__name__)
             )
         else:
             trust_param = TrustEvaluationType(
                 attribute_name="trust_param_name",
                 jwks=[mock_jwk, mock_jwk_private],
-                expiration_date=datetime.fromtimestamp(exp_from_now(self.exp)),
+                expiration_date=exp_from_now(self.exp),
                 trust_param_name={"trust_param_key": "trust_param_value"},
                 trust_handler_name=str(self.__class__.__name__)
             )
@@ -99,7 +99,7 @@ def extract_and_update_trust_materials(
         trust_param = TrustEvaluationType(
             attribute_name="trust_param_name",
             jwks=[mock_jwk],
-            expiration_date=datetime.fromtimestamp(exp_from_now(self.exp)),
+            expiration_date=exp_from_now(self.exp),
             trust_param_name={'updated_trust_param_key': 'updated_trust_param_value'},
             trust_handler_name=str(self.__class__.__name__)
         )
diff --git a/pyeudiw/tests/trust/test_dynamic.py b/pyeudiw/tests/trust/test_dynamic.py
@@ -1,5 +1,6 @@
 from uuid import uuid4
 
+import time
 from pyeudiw.storage.db_engine import DBEngine
 from pyeudiw.tests.settings import CONFIG
 from pyeudiw.tests.trust import correct_config, not_conformant
@@ -131,6 +132,7 @@ def test_cache_first_strategy_expired():
     uuid_url = f"http://{uuid4()}.issuer.it"
 
     assert trust_ev.get_jwt_header_trust_parameters(uuid_url) == {'trust_param_name': {'trust_param_key': 'trust_param_value'}}
+    time.sleep(1)
     assert trust_ev.get_jwt_header_trust_parameters(uuid_url) == {'trust_param_name': {'updated_trust_param_key': 'updated_trust_param_value'}}
 
 def test_cache_first_strategy_expired_revoked():
diff --git a/pyeudiw/trust/dynamic.py b/pyeudiw/trust/dynamic.py
@@ -19,6 +19,7 @@
 
 UpsertMode = Union[Literal["update_first"], Literal["cache_first"]]
 
+
 class CombinedTrustEvaluator(BaseLogger):
     """
     A trust evaluator that combines multiple trust models.
@@ -351,7 +352,7 @@ def from_config(
         :rtype: CombinedTrustEvaluator
         """
         handlers = []
-
+       
         for handler_name, handler_config in config.items():
             try:
                 # every trust evaluation method might use their own client id
diff --git a/pyeudiw/trust/model/trust_source.py b/pyeudiw/trust/model/trust_source.py

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,8 @@ def __init__(`
`116`	`116`	`credential_presentation_handlers_configuration = self.config.get("credential_presentation_handlers", {})`
`117`	`117`	`self.vp_token_parser = PresentationSubmissionHandler(`
`118`	`118`	`credential_presentation_handlers_configuration,`
`119`		`- self.trust_evaluator`
	`119`	`+ self.trust_evaluator,`
	`120`	`+ self.config.get("jwt", {}).get("sig_alg_supported", [])`
`120`	`121`	`)`
`121`	`122`
`122`	`123`	`def get_trust_backend_by_class_name(self, class_name: str) -> TrustHandlerInterface:`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,6 @@ def request_endpoint(self, context: Context, *args) -> Response:`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`# load all the trust handlers request jwt header parameters, if any`
`72`		`-`
`73`	`72`	`trust_params = self.trust_evaluator.get_jwt_header_trust_parameters(issuer=self.client_id)`
`74`	`73`	`_protected_jwt_headers.update(trust_params)`
`75`	`74`