fix: do not encode sessionTranscript as data item for device authentication (#101)

Signed-off-by: Berend Sliedrecht <[email protected]>

Author: berendsliedrecht

pnpm-workspace.yaml

@@ -0,0 +1,2 @@
+onlyBuiltDependencies:
+  - esbuild

src/mdoc/models/device-authentication.ts

@@ -1,9 +1,14 @@
-import { type CborDecodeOptions, CborStructure, cborDecode } from '../../cbor'
-import { DeviceNamespaces } from './device-namespaces'
+import { type CborDecodeOptions, CborStructure, cborDecode, DataItem } from '../../cbor'
+import { DeviceNamespaces, type DeviceNamespacesStructure } from './device-namespaces'
 import type { DocType } from './doctype'
-import { SessionTranscript } from './session-transcript'
+import { SessionTranscript, type SessionTranscriptStructure } from './session-transcript'
 
-export type DeviceAuthenticationStructure = [string, Uint8Array, DocType, Uint8Array]
+export type DeviceAuthenticationStructure = [
+  string,
+  SessionTranscriptStructure,
+  DocType,
+  DataItem<DeviceNamespacesStructure>,
+]
 
 export type DeviceAuthenticationOptions = {
   sessionTranscript: SessionTranscript | Uint8Array
@@ -29,17 +34,17 @@ export class DeviceAuthentication extends CborStructure {
   public encodedStructure(): DeviceAuthenticationStructure {
     return [
       'DeviceAuthentication',
-      this.sessionTranscript.encode({ asDataItem: true }),
+      this.sessionTranscript.encodedStructure(),
       this.docType,
-      this.deviceNamespaces.encode({ asDataItem: true }),
+      DataItem.fromData(this.deviceNamespaces.encodedStructure()),
     ]
   }
 
   public static override fromEncodedStructure(encodedStructure: DeviceAuthenticationStructure): DeviceAuthentication {
     return new DeviceAuthentication({
-      sessionTranscript: SessionTranscript.decode(encodedStructure[1]),
+      sessionTranscript: SessionTranscript.fromEncodedStructure(encodedStructure[1]),
       docType: encodedStructure[2],
-      deviceNamespaces: DeviceNamespaces.decode(encodedStructure[3]),
+      deviceNamespaces: DeviceNamespaces.fromEncodedStructure(encodedStructure[3].data),
     })
   }
 

src/mdoc/models/handover.ts

@@ -0,0 +1,7 @@
+import { CborStructure } from '../../cbor'
+
+export abstract class Handover extends CborStructure {
+  public static isCorrectHandover(_structure: unknown): boolean {
+    return false
+  }
+}

src/mdoc/models/index.ts

@@ -2,6 +2,7 @@ export * from './ble-options'
 export * from './data-element-identifier'
 export * from './data-element-value'
 export * from './device-auth'
+export * from './device-authentication'
 export * from './device-engagement'
 export * from './device-key'
 export * from './device-key-info'

src/mdoc/models/nfc-handover.ts

@@ -1,4 +1,5 @@
-import { CborStructure } from '../../cbor'
+import { type CborDecodeOptions, cborDecode } from '../../cbor'
+import { Handover } from './handover'
 
 export type NfcHandoverStructure = [Uint8Array, Uint8Array | null]
 
@@ -7,7 +8,7 @@ export type NfcHandoverOptions = {
   requestMessage?: Uint8Array
 }
 
-export class NfcHandover extends CborStructure {
+export class NfcHandover extends Handover {
   public selectMessage: Uint8Array
   public requestMessage?: Uint8Array
 
@@ -27,4 +28,17 @@ export class NfcHandover extends CborStructure {
       requestMessage: encodedStructure[1] ?? undefined,
     })
   }
+
+  public static override decode(bytes: Uint8Array, options?: CborDecodeOptions): NfcHandover {
+    const structure = cborDecode<NfcHandoverStructure>(bytes, { ...(options ?? {}), mapsAsObjects: false })
+    return NfcHandover.fromEncodedStructure(structure)
+  }
+
+  public static isCorrectHandover(structure: unknown): structure is NfcHandoverStructure {
+    return (
+      Array.isArray(structure) &&
+      structure[0] instanceof Uint8Array &&
+      (structure[1] instanceof Uint8Array || structure[1] === null)
+    )
+  }
 }

src/mdoc/models/oid4vp-dc-api-draft24-handover-info.ts

@@ -0,0 +1,44 @@
+import { type CborDecodeOptions, CborStructure, cborDecode } from '../../cbor'
+
+export type Oid4vpDcApiDraft24HandoverInfoStructure = [string, string, string]
+
+export type Oid4vpDcApiDraft24HandoverInfoOptions = {
+  origin: string
+  clientId: string
+  nonce: string
+}
+
+export class Oid4vpDcApiDraft24HandoverInfo extends CborStructure {
+  public origin: string
+  public clientId: string
+  public nonce: string
+
+  public constructor(options: Oid4vpDcApiDraft24HandoverInfoOptions) {
+    super()
+    this.origin = options.origin
+    this.clientId = options.clientId
+    this.nonce = options.nonce
+  }
+
+  public encodedStructure(): Oid4vpDcApiDraft24HandoverInfoStructure {
+    return [this.origin, this.clientId, this.nonce]
+  }
+
+  public static override fromEncodedStructure(
+    encodedStructure: Oid4vpDcApiDraft24HandoverInfoStructure
+  ): Oid4vpDcApiDraft24HandoverInfo {
+    return new Oid4vpDcApiDraft24HandoverInfo({
+      origin: encodedStructure[0],
+      clientId: encodedStructure[1],
+      nonce: encodedStructure[2],
+    })
+  }
+
+  public static override decode(bytes: Uint8Array, options?: CborDecodeOptions): Oid4vpDcApiDraft24HandoverInfo {
+    const structure = cborDecode<Oid4vpDcApiDraft24HandoverInfoStructure>(bytes, {
+      ...(options ?? {}),
+      mapsAsObjects: false,
+    })
+    return Oid4vpDcApiDraft24HandoverInfo.fromEncodedStructure(structure)
+  }
+}

src/mdoc/models/oid4vp-dc-api-handover-info.ts

@@ -0,0 +1,41 @@
+import { type CborDecodeOptions, CborStructure, cborDecode } from '../../cbor'
+
+export type Oid4vpDcApiHandoverInfoStructure = [string, string, Uint8Array | null]
+
+export type Oid4vpDcApiHandoverInfoOptions = {
+  origin: string
+  nonce: string
+  jwkThumbprint?: Uint8Array
+}
+
+export class Oid4vpDcApiHandoverInfo extends CborStructure {
+  public origin: string
+  public nonce: string
+  public jwkThumbprint?: Uint8Array
+
+  public constructor(options: Oid4vpDcApiHandoverInfoOptions) {
+    super()
+    this.origin = options.origin
+    this.nonce = options.nonce
+    this.jwkThumbprint = options.jwkThumbprint
+  }
+
+  public encodedStructure(): Oid4vpDcApiHandoverInfoStructure {
+    return [this.origin, this.nonce, this.jwkThumbprint ?? null]
+  }
+
+  public static override fromEncodedStructure(
+    encodedStructure: Oid4vpDcApiHandoverInfoStructure
+  ): Oid4vpDcApiHandoverInfo {
+    return new Oid4vpDcApiHandoverInfo({
+      origin: encodedStructure[0],
+      nonce: encodedStructure[1],
+      jwkThumbprint: encodedStructure[2] ?? undefined,
+    })
+  }
+
+  public static override decode(bytes: Uint8Array, options?: CborDecodeOptions): Oid4vpDcApiHandoverInfo {
+    const structure = cborDecode<Oid4vpDcApiHandoverInfoStructure>(bytes, { ...(options ?? {}), mapsAsObjects: false })
+    return Oid4vpDcApiHandoverInfo.fromEncodedStructure(structure)
+  }
+}

src/mdoc/models/oid4vp-dc-api-handover.ts

@@ -0,0 +1,59 @@
+import { type CborDecodeOptions, cborDecode } from '../../cbor'
+import type { MdocContext } from '../../context'
+import { Handover } from './handover'
+import type { Oid4vpDcApiDraft24HandoverInfo } from './oid4vp-dc-api-draft24-handover-info'
+import type { Oid4vpDcApiHandoverInfo } from './oid4vp-dc-api-handover-info'
+
+export type Oid4vpDcApiHandoverStructure = [string, Uint8Array]
+
+export type Oid4vpDcApiHandoverOptions = {
+  oid4vpDcApiHandoverInfo?: Oid4vpDcApiHandoverInfo | Oid4vpDcApiDraft24HandoverInfo
+  oid4vpDcApiHandoverInfoHash?: Uint8Array
+}
+
+export class Oid4vpDcApiHandover extends Handover {
+  public oid4vpDcApiHandoverInfo?: Oid4vpDcApiHandoverInfo | Oid4vpDcApiDraft24HandoverInfo
+  public oid4vpDcApiHandoverInfoHash?: Uint8Array
+
+  public constructor(options: Oid4vpDcApiHandoverOptions) {
+    super()
+    this.oid4vpDcApiHandoverInfo = options.oid4vpDcApiHandoverInfo
+    this.oid4vpDcApiHandoverInfoHash = options.oid4vpDcApiHandoverInfoHash
+  }
+
+  public async prepare(ctx: Pick<MdocContext, 'crypto'>) {
+    if (!this.oid4vpDcApiHandoverInfo && !this.oid4vpDcApiHandoverInfoHash) {
+      throw new Error(`Either the 'oid4vpDcApiHandoverInfo' or 'oid4vpDcApiHandoverInfoHash' must be set`)
+    }
+
+    if (this.oid4vpDcApiHandoverInfo) {
+      this.oid4vpDcApiHandoverInfoHash = await ctx.crypto.digest({
+        digestAlgorithm: 'SHA-256',
+        bytes: this.oid4vpDcApiHandoverInfo.encode(),
+      })
+    }
+  }
+
+  public encodedStructure(): Oid4vpDcApiHandoverStructure {
+    if (!this.oid4vpDcApiHandoverInfoHash) {
+      throw new Error('Call `prepare` first to create the hash over the handover info')
+    }
+
+    return ['OpenID4VPDCAPIHandover', this.oid4vpDcApiHandoverInfoHash]
+  }
+
+  public static override fromEncodedStructure(encodedStructure: Oid4vpDcApiHandoverStructure): Oid4vpDcApiHandover {
+    return new Oid4vpDcApiHandover({
+      oid4vpDcApiHandoverInfoHash: encodedStructure[1],
+    })
+  }
+
+  public static override decode(bytes: Uint8Array, options?: CborDecodeOptions): Oid4vpDcApiHandover {
+    const structure = cborDecode<Oid4vpDcApiHandoverStructure>(bytes, { ...(options ?? {}), mapsAsObjects: false })
+    return Oid4vpDcApiHandover.fromEncodedStructure(structure)
+  }
+
+  public static isCorrectHandover(structure: unknown): structure is Oid4vpDcApiHandoverStructure {
+    return Array.isArray(structure) && structure[0] === 'OpenID4VPDCAPIHandover'
+  }
+}

src/mdoc/models/oid4vp-draft18-handover.ts

@@ -0,0 +1,102 @@
+import { type CborDecodeOptions, cborDecode, cborEncode } from '../../cbor'
+import type { MdocContext } from '../../context'
+import { Handover } from './handover'
+
+export type Oid4vpDraft18HandoverStructure = [Uint8Array, Uint8Array, string]
+
+export type Oid4vpDraft18HandoverOptions = {
+  mdocGeneratedNonce?: string
+  clientId?: string
+  responseUri?: string
+  nonce: string
+
+  clientIdHash?: Uint8Array
+  responseUriHash?: Uint8Array
+}
+
+/**
+ *
+ * @note this will be removed as it is already a legacy handover structure
+ *
+ */
+export class Oid4vpDraft18Handover extends Handover {
+  public mdocGeneratedNonce?: string
+  public clientId?: string
+  public responseUri?: string
+  public nonce: string
+
+  public clientIdHash?: Uint8Array
+  public responseUriHash?: Uint8Array
+
+  public constructor(options: Oid4vpDraft18HandoverOptions) {
+    super()
+    this.mdocGeneratedNonce = options.mdocGeneratedNonce
+    this.clientId = options.clientId
+    this.responseUri = options.responseUri
+    this.nonce = options.nonce
+
+    this.clientIdHash = options.clientIdHash
+    this.responseUriHash = options.responseUriHash
+  }
+
+  public async prepare(ctx: Pick<MdocContext, 'crypto'>) {
+    if (
+      (!this.mdocGeneratedNonce || !this.clientId || !this.responseUri) &&
+      (!this.clientIdHash || !this.responseUriHash)
+    ) {
+      throw new Error(
+        'Either the responseUriHash and clientIdHash must be set or the clientId, responseUri and mdocGeneratedNonce'
+      )
+    }
+
+    if (this.clientId && this.mdocGeneratedNonce) {
+      this.clientIdHash = await ctx.crypto.digest({
+        digestAlgorithm: 'SHA-256',
+        bytes: cborEncode([this.clientId, this.mdocGeneratedNonce]),
+      })
+    }
+
+    if (this.responseUri && this.mdocGeneratedNonce) {
+      this.responseUriHash = await ctx.crypto.digest({
+        digestAlgorithm: 'SHA-256',
+        bytes: cborEncode([this.responseUri, this.mdocGeneratedNonce]),
+      })
+    }
+
+    if (!this.clientIdHash || !this.responseUriHash) {
+      throw new Error(
+        'Could not hash the client id and/or the response uri. Make sure the properties are set on the class, or manually provide the hashed client id and response uri with the mdoc generated nonce'
+      )
+    }
+  }
+
+  public encodedStructure(): Oid4vpDraft18HandoverStructure {
+    if (!this.clientIdHash || !this.responseUriHash) {
+      throw new Error('Call `prepare` first to create the hash over the client id and response uri')
+    }
+
+    return [this.clientIdHash, this.responseUriHash, this.nonce]
+  }
+
+  public static override fromEncodedStructure(encodedStructure: Oid4vpDraft18HandoverStructure): Oid4vpDraft18Handover {
+    return new Oid4vpDraft18Handover({
+      clientIdHash: encodedStructure[0],
+      responseUriHash: encodedStructure[1],
+      nonce: encodedStructure[2],
+    })
+  }
+
+  public static override decode(bytes: Uint8Array, options?: CborDecodeOptions): Oid4vpDraft18Handover {
+    const structure = cborDecode<Oid4vpDraft18HandoverStructure>(bytes, { ...(options ?? {}), mapsAsObjects: false })
+    return Oid4vpDraft18Handover.fromEncodedStructure(structure)
+  }
+
+  public static isCorrectHandover(structure: unknown): structure is Oid4vpDraft18HandoverStructure {
+    return (
+      Array.isArray(structure) &&
+      structure[0] instanceof Uint8Array &&
+      structure[1] instanceof Uint8Array &&
+      typeof structure[2] === 'string'
+    )
+  }
+}

src/mdoc/models/oid4vp-handover-info.ts

@@ -0,0 +1,43 @@
+import { type CborDecodeOptions, CborStructure, cborDecode } from '../../cbor'
+
+export type Oid4vpHandoverInfoStructure = [string, string, Uint8Array | null, string]
+
+export type Oid4vpHandoverInfoOptions = {
+  clientId: string
+  nonce: string
+  jwkThumbprint?: Uint8Array
+  responseUri: string
+}
+
+export class Oid4vpHandoverInfo extends CborStructure {
+  public clientId: string
+  public nonce: string
+  public jwkThumbprint?: Uint8Array
+  public responseUri: string
+
+  public constructor(options: Oid4vpHandoverInfoOptions) {
+    super()
+    this.clientId = options.clientId
+    this.nonce = options.nonce
+    this.jwkThumbprint = options.jwkThumbprint
+    this.responseUri = options.responseUri
+  }
+
+  public encodedStructure(): Oid4vpHandoverInfoStructure {
+    return [this.clientId, this.nonce, this.jwkThumbprint ?? null, this.responseUri]
+  }
+
+  public static override fromEncodedStructure(encodedStructure: Oid4vpHandoverInfoStructure): Oid4vpHandoverInfo {
+    return new Oid4vpHandoverInfo({
+      clientId: encodedStructure[0],
+      nonce: encodedStructure[1],
+      jwkThumbprint: encodedStructure[2] ?? undefined,
+      responseUri: encodedStructure[3],
+    })
+  }
+
+  public static override decode(bytes: Uint8Array, options?: CborDecodeOptions): Oid4vpHandoverInfo {
+    const structure = cborDecode<Oid4vpHandoverInfoStructure>(bytes, { ...(options ?? {}), mapsAsObjects: false })
+    return Oid4vpHandoverInfo.fromEncodedStructure(structure)
+  }
+}