Merge pull request #394 from italia/freeze1.0

freeze: code for 1.0

Author: peppelinux

README.md

@@ -97,6 +97,14 @@ it is [Satosa-Saml2Spid](https://github.com/italia/Satosa-Saml2Spid).
 
 Please read this [README](README.SATOSA.md) any details about how to configure SaToSa with the OpenID4VP Relying Party backend.
 
+## Executing Tests Using Preexisting MongoDb Instances
+
+Use the env variable PYEUDIW_MONGO_TEST_AUTH_INLINE
+
+````
+PYEUDIW_MONGO_TEST_AUTH_INLINE=satosa:thatpassword@ pytest
+````
+
 ## Contribute
 
 Your contribution is welcome, no question is useless and no answer is obvious, we need you.

example/satosa/integration_test/commons.py

@@ -195,7 +195,7 @@ def create_authorize_response(vp_token: str, state: str, response_uri: str) -> s
                 {
                     "id": "pid-sd-jwt:unique_id+given_name+family_name",
                     "path": "$.vp_token.verified_claims.claims._sd[0]",
-                    "format": "vc+sd-jwt"
+                    "format": "dc+sd-jwt"
                 }
             ],
             "aud": response_uri

example/satosa/pyeudiw_backend.yaml

@@ -24,9 +24,9 @@ def vp_parser(jwt: str) -> Vp:
     match typ.lower():
         case "jwt":
             return VpSdJwt(jwt)
-        case "vc+sd-jwt":
+        case "dc+sd-jwt":
             raise NotImplementedError(
-                "parsing of vp tokens with typ vc+sd-jwt not supported yet"
+                "parsing of vp tokens with typ dc+sd-jwt not supported yet"
             )
         case "mcdoc_cbor":
             return VpMDocCbor(jwt)

oldies/openid4vp/utils.py

@@ -13,6 +13,7 @@
     AuthorizeResponsePayload,
     ResponseMode,
 )
+from pyeudiw.jwt.utils import decode_jwt_header
 
 
 _S = TypeVar('_S', str, list[str])
@@ -117,8 +118,15 @@ class DirectPostJwtJweParser(AuthorizationResponseParser):
         https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-response-mode-direct_postjw
     """
 
-    def __init__(self, jwe_decryptor: JWEHelper):
+    def __init__(
+            self, 
+            jwe_decryptor: JWEHelper, 
+            enc_alg_supported: list[str] = [], 
+            enc_enc_supported: list[str] = []
+        ) -> None:
         self.jwe_decryptor = jwe_decryptor
+        self.enc_alg_supported = enc_alg_supported
+        self.enc_enc_supported = enc_enc_supported
 
     def parse_and_validate(
         self, context: satosa.context.Context
@@ -131,6 +139,19 @@ def parse_and_validate(
             raise AuthRespParsingException(
                 "invalid data in direct_post.jwt request body", e
             )
+        
+        header = decode_jwt_header(resp_data.response)
+
+        if not header.get("alg") in self.enc_alg_supported:
+            raise AuthRespValidationException(
+                "invalid data in direct_post.jwt: alg not supported"
+            )
+        
+        if not header.get("enc") in self.enc_enc_supported:
+            raise AuthRespValidationException(
+                "invalid data in direct_post.jwt: enc not supported"
+            )
+
         try:
             payload = self.jwe_decryptor.decrypt(resp_data.response)
         except JWEDecryptionError as e:

pyeudiw/openid4vp/authorization_response.py

@@ -19,4 +19,4 @@ class VcSdJwt(BaseModel):
 
 
 class VpFormats(BaseModel):
-    vc_sd_jwt: VcSdJwt = Field(..., alias="vc+sd-jwt")
+    vc_sd_jwt: VcSdJwt = Field(..., alias="dc+sd-jwt")

pyeudiw/openid4vp/schemas/vp_formats.py

@@ -1,7 +1,7 @@
 from pyeudiw.tools.base_logger import BaseLogger
 
 JWT_TYPE = "JWT"
-VC_SD_JWT_TYPE = "vc+sd-jwt"
+VC_SD_JWT_TYPE = "dc+sd-jwt"
 WALLET_ATTESTATION_TYPE = "wallet-attestation+jwt"
 MDOC_BCOR_TYPE = "mdoc_cbor"
 

pyeudiw/openid4vp/vp.py

@@ -6,9 +6,23 @@
 from pyeudiw.jwt.utils import decode_jwt_header
 from pyeudiw.sd_jwt.schema import is_sd_jwt_kb_format
 from pyeudiw.openid4vp.presentation_submission.base_vp_parser import BaseVPParser
+from pyeudiw.trust.dynamic import CombinedTrustEvaluator
 
 
 class VpVcSdJwtParserVerifier(BaseVPParser):
+
+    def __init__(self, trust_evaluator: CombinedTrustEvaluator, sig_alg_supported: list[str] = [], **kwargs) -> None:
+        """
+        Initialize the VpVcSdJwtParserVerifier with the trust evaluator.
+
+        :param trust_evaluator: The trust evaluator instance.
+        :type trust_evaluator: CombinedTrustEvaluator
+        :param sig_alg_supported: List of supported signature algorithms.
+        :type sig_alg_supported: list[str]
+        """
+        self.sig_alg_supported = sig_alg_supported
+        super().__init__(trust_evaluator, **kwargs)
+
     def _get_issuer_name(self, sdjwt: SdJwt) -> str:
         """
         Get the issuer name from the token payload.
@@ -47,6 +61,10 @@ def validate(
         static_trust_materials = {}
         header = decode_jwt_header(token)
 
+        alg = header.get("alg", None)
+        if alg not in self.sig_alg_supported:
+            raise ValueError(f"Unsupported algorithm: {alg}")
+
         if "x5c" in header:
             static_trust_materials["x5c"] = header["x5c"]
 

pyeudiw/openid4vp/vp_sd_jwt_vc.py

@@ -55,7 +55,7 @@ class PresentationDefinitionClaimFormatDesignations(
                 PresentationDefinitionClaimFormatDesignations2,
             ],
             Dict[
-                Annotated[str, Field(pattern=r"^vc\+sd-jwt$")],
+                Annotated[str, Field(pattern=r"^dc\+sd-jwt$")],
                 PresentationDefinitionClaimFormatDesignations3,
             ],
         ]
@@ -71,7 +71,7 @@ class PresentationDefinitionClaimFormatDesignations(
             PresentationDefinitionClaimFormatDesignations2,
         ],
         Dict[
-            Annotated[str, Field(pattern=r"^vc\+sd-jwt$")],
+            Annotated[str, Field(pattern=r"^dc\+sd-jwt$")],
             PresentationDefinitionClaimFormatDesignations2,
         ],
     ] = Field(..., title="Presentation Definition Claim Format Designations")

pyeudiw/presentation_exchange/schemas/oid4vc_presentation_definition.py

@@ -73,37 +73,6 @@ def __init__(
 
         self.default_exp = int(self.config["jwt"]["default_exp"])
 
-        federation_jwks = self.config["trust"]["federation"]["config"][
-            "federation_jwks"
-        ]
-        if isinstance(federation_jwks, str):
-            try:
-                self.config["trust"]["federation"]["config"]["federation_jwks"] = (
-                    json.loads(federation_jwks)
-                )
-            except json.JSONDecodeError as e:
-                raise ValueError(
-                    f"Invalid federation_jwks {self.config['trust']['federation']['config']['federation_jwks']} JSON: {e}"
-                )
-
-        if isinstance(
-            self.config["trust"]["federation"]["config"]["federation_jwks"], dict
-        ):
-            self.config["trust"]["federation"]["config"]["federation_jwks"] = [
-                self.config["trust"]["federation"]["config"]["federation_jwks"]
-            ]
-
-        if isinstance(self.config["metadata_jwks"], str):
-            try:
-                self.config["metadata_jwks"] = json.loads(self.config["metadata_jwks"])
-            except json.JSONDecodeError as e:
-                raise ValueError(
-                    f"Invalid metadata_jwks {self.config['metadata_jwks']} JSON: {e}"
-                )
-
-        if isinstance(self.config["metadata_jwks"], dict):
-            self.config["metadata_jwks"] = [self.config["metadata_jwks"]]
-
         self.metadata_jwks_by_kids = {i["kid"]: i for i in self.config["metadata_jwks"]}
         self.config["metadata"]["jwks"] = {
             "keys": [JWK(i).public_key for i in self.config["metadata_jwks"]]