search

open-eid / eudi-qeaa-wallet-mock

MIT License
0 stars 1 forks source link

Incorrect DeviceAuthentication's sessionTranscript format #5

Closed ydanneg closed 3 months ago

ydanneg commented 3 months ago

According to ISO/IEC 18013-5:2021 and your own documentation sessionTranscript structure is an array type containing following elements:

Element Description Encoding
DeviceEngagementBytes It MUST be set to null. array
EReaderKeyBytes It MUST be set to null. null
Handover It MUST be set to OpenID4VPHandover structure. array

But current implementation have the wrong structure that contains only Handover element: https://github.com/open-eid/eudi-qeaa-wallet-mock/blob/3fe009bc464c7393cec54dedca4bd36ba409afa8/src/main/java/ee/ria/eudi/qeaa/wallet/util/MDocUtil.java#L23-L24

aarmam commented 3 months ago

That is correct. Actually there will be additionall changes related to session transcript. The reference wallet and waltit library use OID4VPHandover as defined in ISO-18013-7 Annex B, B.4.4; 

OID4VPHandover = [
  clientIdHash
  responseUriHash
  nonce
]

clientIdHash = bstr
responseUriHash = bstr

clientIdToHash = [clientId, mdocGeneratedNonce]
responseUriToHash = [responseUri, mdocGeneratedNonce]

mdocGeneratedNonce = tstr
clientId = tstr
responseUri = tstr
nonce = tstr

Where clientIdHash is the SHA-256 hash of clientIdToHash and responseUriHash is the SHA-256 hash of the responseUriToHash. This leads to the use of mdocGeneratedNonce and the requirement to pass it to verifier. According to ISO-23220-4 (and ISO-18013-7) the OpenID4VP flow should use response_mode=direct_post.jwt with JWT Secured Authorization response (JARM). To generate the JWE, the mdoc shall use the jwks, authorization_encrypted_response_alg and authorization_encrypted_response_enc from the Verifier Metadata.

According to the spec wallet shall set the apu JWT (JWE) header parameter to the base64url-encoded-with-no-padding value of the mdocGeneratedNonce of the SessionTranscript.

The value for vp_token shall contain the base64url-encoded-without-padding DeviceResponse data structure as defined in ISO/IEC 18013-5.

It is unclear for me how are the other response modes supported, if direct_post.jwt with JARM is the only response mode for delivering mdocGeneratedNonce to verifier.

This is how EUDI Wallet Reference Implementation currently works atleast when presenting PID to verifier.

Do you have more insight on this? I will implement these changes next week.

ydanneg commented 3 months ago

Reference wallet does it in the same way as PR suggests:

val sessionTranscriptBytes =
            CBORObject.NewArray().apply {
                Add(CBORObject.Null)
                Add(CBORObject.Null)
                Add(openID4VPHandover)
            }.EncodeToBytes()

Using wrong values in handover is a different issue, I agree.