ConsentScreen and SD-JWT fixes. (#1439)

Looks like we're not including the `x5c` claim when creating an SD-JWT
and the issuer signing key has a X.509 certificate chain. Fix this.

Also bunch of fixes for the ConsentScreen in testapp to make it work
with the latest update to the Compose libraries which fixes some bugs
the existing code was relying on.

Also temporarily disable running unit tests in the Android emulator
since it current breaks our GitHub runner due to insufficient disk
space.

Test: Manually tested.

Signed-off-by: David Zeuthen <[email protected]>

Author: davidz25

.github/workflows/unit-test.yml

@@ -30,23 +30,23 @@ jobs:
       run: ./gradlew build -x test
     - name: Run unit tests
       run: ./gradlew test
-    - name: Enable KVM
-      run: |
-        echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
-        sudo udevadm control --reload-rules
-        sudo udevadm trigger --name-match=kvm
-    - name: Run unit tests on Android Emulator API 34
-      uses: reactivecircus/android-emulator-runner@v2
-      with:
-        api-level: 34
-        arch: x86_64
-        script: |
-          ./gradlew connectedCheck
-          mkdir -p build/reports/logcat
-          adb logcat -d > build/reports/logcat/logcat.txt || touch build/reports/logcat/logcat.txt
-    - name: Upload Logcat Output
-      if: always()
-      uses: actions/upload-artifact@v4
-      with:
-        name: android-logcat
-        path: build/reports/logcat/logcat.txt
+#    - name: Enable KVM
+#      run: |
+#        echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
+#        sudo udevadm control --reload-rules
+#        sudo udevadm trigger --name-match=kvm
+#    - name: Run unit tests on Android Emulator API 34
+#      uses: reactivecircus/android-emulator-runner@v2
+#      with:
+#        api-level: 34
+#        arch: x86_64
+#        script: |
+#          ./gradlew connectedCheck
+#          mkdir -p build/reports/logcat
+#          adb logcat -d > build/reports/logcat/logcat.txt || touch build/reports/logcat/logcat.txt
+#    - name: Upload Logcat Output
+#      if: always()
+#      uses: actions/upload-artifact@v4
+#      with:
+#        name: android-logcat
+#        path: build/reports/logcat/logcat.txt

multipaz/src/commonMain/kotlin/org/multipaz/sdjwt/SdJwt.kt

@@ -331,7 +331,8 @@ class SdJwt(
          *
          * This implementation uses recursive disclosures for all claims in the [claims] parameter.
          *
-         * @param issuerKey the key to sign the issuerSigned JWT with.
+         * @param issuerKey the key to sign the issuerSigned JWT with. If this is a [AsymmetricKey.X509Certified]
+         *   the certificate chain will be included in the `x5c` claim and always be disclosed.
          * @param kbKey if set, a `cnf` claim with this public key will be included in the Issuer-signed JWT.
          * @param claims the object with claims that can be selectively disclosed.
          * @param nonSdClaims claims to include in the Issuer-signed JWT which are always disclosed. This must at least
@@ -363,7 +364,15 @@ class SdJwt(
                 creationTime = creationTime,
                 expiresIn = expiresIn
             ) {
+                if (issuerKey is AsymmetricKey.X509Certified) {
+                    put("x5c", issuerKey.certChain.toX5c())
+                }
                 for (claim in nonSdClaims) {
+                    if (claim.key == "x5c" && issuerKey is AsymmetricKey.X509Certified) {
+                        throw IllegalArgumentException(
+                            "Claim x5c is already included because `issuerKey` is X509Certified"
+                        )
+                    }
                     put(claim.key, claim.value)
                 }
 

multipaz/src/commonTest/kotlin/org/multipaz/presentment/model/digitalCredentialsPresentmentTest.kt

@@ -1,6 +1,7 @@
 package org.multipaz.presentment.model
 
 import kotlinx.coroutines.flow.MutableStateFlow
+import kotlinx.coroutines.runBlocking
 import kotlinx.coroutines.test.runTest
 import kotlinx.serialization.ExperimentalSerializationApi
 import kotlinx.serialization.json.Json
@@ -15,11 +16,11 @@ import org.multipaz.cbor.Simple
 import org.multipaz.cbor.addCborArray
 import org.multipaz.cbor.buildCborArray
 import org.multipaz.crypto.Algorithm
+import org.multipaz.crypto.AsymmetricKey
 import org.multipaz.crypto.Crypto
 import org.multipaz.crypto.EcCurve
 import org.multipaz.crypto.EcPrivateKey
 import org.multipaz.crypto.JsonWebEncryption
-import org.multipaz.crypto.AsymmetricKey
 import org.multipaz.crypto.X500Name
 import org.multipaz.crypto.X509CertChain
 import org.multipaz.document.Document
@@ -32,14 +33,14 @@ import org.multipaz.sdjwt.SdJwtKb
 import org.multipaz.storage.ephemeral.EphemeralStorage
 import org.multipaz.trustmanagement.TrustManagerLocal
 import org.multipaz.trustmanagement.TrustPoint
-import org.multipaz.util.Constants
 import org.multipaz.util.Logger
 import org.multipaz.util.fromBase64Url
 import org.multipaz.util.toBase64Url
+import kotlin.io.encoding.Base64
 import kotlin.random.Random
+import kotlin.test.BeforeTest
 import kotlin.test.Test
 import kotlin.test.assertEquals
-import kotlin.test.assertTrue
 
 class DigitalCredentialsPresentmentTest {
     companion object {
@@ -52,6 +53,12 @@ class DigitalCredentialsPresentmentTest {
 
     val documentStoreTestHarness = DocumentStoreTestHarness()
 
+    @BeforeTest
+    fun setup() = runBlocking {
+        documentStoreTestHarness.initialize()
+        documentStoreTestHarness.provisionStandardDocuments()
+    }
+
     class TestPresentmentMechanism(
         protocol: String,
         data: JsonObject,
@@ -95,9 +102,6 @@ class DigitalCredentialsPresentmentTest {
         encryptionKey: EcPrivateKey?,
         dcql: JsonObject
     ): TestOpenID4VPResponse {
-        documentStoreTestHarness.initialize()
-        documentStoreTestHarness.provisionStandardDocuments()
-
         val readerTrustManager = TrustManagerLocal(EphemeralStorage())
         val presentmentSource = SimplePresentmentSource(
             documentStore = documentStoreTestHarness.documentStore,
@@ -416,6 +420,9 @@ class DigitalCredentialsPresentmentTest {
             expectedSdJwtResponse =
                 """
                     {
+                      "x5c": [
+                        "${Base64.encode(documentStoreTestHarness.dsKey.certChain.certificates[0].encoded.toByteArray())}"
+                      ],
                       "iss": "https://example-issuer.com",
                       "vct": "urn:eudi:pid:1",
                       "family_name": "Mustermann",