feat: added configuration to opt-in trust param header

Zicchio · Zicchio · commit c7c4a4e38589 · 2025-04-24T16:43:31.000+02:00
diff --git a/example/satosa/pyeudiw_backend.yaml b/example/satosa/pyeudiw_backend.yaml
@@ -209,6 +209,7 @@ config:
         httpc_params: *httpc_params
         cache_ttl: 0
         entity_configuration_exp: 600
+        # include_issued_jwt_header_param: true # default false; if true, it will include trust_chain header parameters in the signed presentation request issued by this trust handler
         metadata_type: "openid_credential_verifier"
         metadata: *metadata
         authority_hints:
@@ -248,6 +249,7 @@ config:
       config:
         # client_id: *client_id
         client_id_scheme: x509_san_dns # this will be prepended in the client id scheme used in the request. 
+        include_issued_jwt_header_param: true # default false; if true, it will include x5c header parameters in the signed presentation request issued by this trust handler
         certificate_authorities:
           - ca.example.com: |
                 -----BEGIN CERTIFICATE-----
diff --git a/pyeudiw/tests/settings.py b/pyeudiw/tests/settings.py
@@ -268,6 +268,7 @@ def base64url_to_int(val):
                         ta_jwk.serialize(private=False),
                     ]
                 },
+                "include_issued_jwt_header_param": True,
                 "default_sig_alg": "RS256",
                 "federation_jwks": [
                     jwk,
@@ -310,6 +311,7 @@ def base64url_to_int(val):
             "class": "X509Handler",
             "config": {
                 "client_id": f"{BASE_URL}/OpenID4VP",
+                "include_issued_jwt_header_param": True,
                 "relying_party_certificate_chains_by_ca":{
                     "ca.example.com": DEFAULT_X509_CHAIN,
                 },
diff --git a/pyeudiw/trust/dynamic.py b/pyeudiw/trust/dynamic.py
@@ -19,6 +19,8 @@
 
 UpsertMode = Union[Literal["update_first"], Literal["cache_first"]]
 
+INCLUDE_JWT_HEADER_CONFIG_NAME = "include_issued_jwt_header_param"
+
 
 class CombinedTrustEvaluator(BaseLogger):
     """
@@ -308,9 +310,9 @@ def get_jwt_header_trust_parameters(self, issuer: Optional[str] = None, force_up
         headers_params = {}
 
         for handler in self.handlers:
-            header = handler.extract_jwt_header_trust_parameters(trust_source)
-            if header:
-                headers_params.update(header)
+            if getattr(handler, INCLUDE_JWT_HEADER_CONFIG_NAME, None):
+                if header := handler.extract_jwt_header_trust_parameters(trust_source):
+                    headers_params.update(header)
         return headers_params
 
     def build_metadata_endpoints(
diff --git a/pyeudiw/trust/handler/x509.py b/pyeudiw/trust/handler/x509.py
@@ -133,7 +133,7 @@ def validate_trust_material(
         self, 
         x5c: list[str], 
         trust_source: TrustSourceData,
-    ) -> dict[bool, TrustSourceData]:
+    ) -> tuple[bool, TrustSourceData]:
         chain = [base64.b64decode(b64der) for b64der in x5c]
 
         if len(chain) > 1 and not verify_x509_attestation_chain(chain):
