From acc11a3629456da3423a5a73b96ad61968ae2679 Mon Sep 17 00:00:00 2001 From: Timo Glastra Date: Wed, 29 Jan 2025 23:35:51 +0800 Subject: [PATCH] feat: support iso 18013-7 draft 2024-03-12 Signed-off-by: Timo Glastra --- .changeset/rotten-apes-sing.md | 7 + CONTRIBUTING.md | 11 ++ LICENSE | 176 ++++++++++++++++++ README.md | 10 +- .../issuing/device-response-with-mac.tests.ts | 58 +++--- .../issuing/device-response.tests.ts | 23 ++- src/mdoc/model/device-response.ts | 85 ++++++--- src/mdoc/verifier.ts | 2 +- 8 files changed, 300 insertions(+), 72 deletions(-) create mode 100644 .changeset/rotten-apes-sing.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE diff --git a/.changeset/rotten-apes-sing.md b/.changeset/rotten-apes-sing.md new file mode 100644 index 0000000..56e3fc1 --- /dev/null +++ b/.changeset/rotten-apes-sing.md @@ -0,0 +1,7 @@ +--- +"@animo-id/mdoc": minor +--- + +feat: support ISO 18013-7 Draft 2024-03-12. + +This mostly changes the structure of the calculated session transcript bytes for usage with the Web API or OpenID4VP. This is a breaking change and incompatible with older versions of this library. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..3dbca31 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,11 @@ +## How to contribute + +You are encouraged to contribute to the repository by **forking and submitting a pull request**. + +(If you are new to GitHub, you might start with a [basic tutorial](https://help.github.com/articles/set-up-git) and check out a more detailed guide to [pull requests](https://help.github.com/articles/using-pull-requests/).) + +Pull requests will be evaluated by the repository guardians on a schedule and if deemed beneficial will be committed to the main branch. Pull requests should have a descriptive name and include an summary of all changes made in the pull request description. + +If you would like to propose a significant change, please open an issue first to discuss the proposed changes with the community and to avoid re-work. + +Contributions are made pursuant to the Developer's Certificate of Origin, available at [https://developercertificate.org](https://developercertificate.org), and licensed under the Apache License, version 2.0 (Apache-2.0). diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..8318dc0 --- /dev/null +++ b/LICENSE @@ -0,0 +1,176 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS diff --git a/README.md b/README.md index 2e2bdc0..949f97c 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ [ISO 18013-5](https://www.iso.org/standard/69084.html) defines mDL (mobile Driver’s Licenses): an ISO standard for digital driver licenses. -This is a JavaScript library for Node.JS, browers and React Native to issue and verify mDL [CBOR encoded](https://cbor.io/) documents in accordance with **ISO 18013-7 (draft's date: 2023-08-02)**. +This is a JavaScript library for Node.JS, browers and React Native to issue and verify mDL [CBOR encoded](https://cbor.io/) documents in accordance with **ISO 18013-7 (draft's date: 2024-03-12)**.

Powered by   @@ -49,7 +49,7 @@ npm i @animo-id/mdoc ### Verifying a credential ```javascript -import { Verifier } from "@auth0/mdl"; +import { Verifier } from "@animo-id/mdoc"; import { inspect } from "node:util"; import fs from "node:fs"; @@ -76,7 +76,7 @@ import fs from "node:fs"; ### Getting diagnostic information ```javascript -import { Verifier } from "@auth0/mdl"; +import { Verifier } from "@animo-id/mdoc"; import { inspect } from "node:util"; import fs from "node:fs"; @@ -106,7 +106,7 @@ import fs from "node:fs"; ##$ Issuing a credential ```js -import { MDoc, Document } from "@auth0/mdl"; +import { MDoc, Document } from "@animo-id/mdoc"; import { inspect } from "node:util"; (async () => { @@ -135,7 +135,7 @@ import { inspect } from "node:util"; ##$ Generating a device response ```js -import { DeviceResponse, MDoc } from "@auth0/mdl"; +import { DeviceResponse, MDoc } from "@animo-id/mdoc"; (async () => { let issuerMDoc; diff --git a/src/__tests__/issuing/device-response-with-mac.tests.ts b/src/__tests__/issuing/device-response-with-mac.tests.ts index 113bfe1..128ee32 100644 --- a/src/__tests__/issuing/device-response-with-mac.tests.ts +++ b/src/__tests__/issuing/device-response-with-mac.tests.ts @@ -5,7 +5,7 @@ import * as jose from 'jose' import { beforeAll, describe, expect, it } from 'vitest' import { mdocContext } from '..' import type { DeviceSignedDocument } from '../..' -import { DataItem, DeviceResponse, Document, MDoc, Verifier, cborEncode, parseDeviceResponse } from '../..' +import { DeviceResponse, Document, MDoc, Verifier, parseDeviceResponse } from '../..' import { DEVICE_JWK, ISSUER_CERTIFICATE, ISSUER_PRIVATE_KEY_JWK, PRESENTATION_DEFINITION_1 } from './config.js' const { d, ...publicKeyJWK } = DEVICE_JWK @@ -87,15 +87,6 @@ describe('issuing a device response with MAC authentication', () => { const clientId = 'Cq1anPb8vZU5j5C0d7hcsbuJLBpIawUJIDQRi2Ebwb4' const responseUri = 'http://localhost:4000/api/presentation_request/dc8999df-d6ea-4c84-9985-37a8b81a82ec/callback' - const getSessionTranscriptBytes = (clId: string, respUri: string, nonce: string, mdocNonce: string) => - cborEncode( - DataItem.fromData([ - null, // DeviceEngagementBytes - null, // EReaderKeyBytes - [mdocNonce, clId, respUri, nonce], // Handover = OID4VPHandover - ]) - ) - beforeAll(async () => { // This is the Device side const deviceResponseMDoc = await DeviceResponse.from(mdoc) @@ -122,12 +113,13 @@ describe('issuing a device response with MAC authentication', () => { trustedCertificates: [new Uint8Array(new X509Certificate(ISSUER_CERTIFICATE).rawData)], encodedDeviceResponse, ephemeralReaderKey: ephemeralPrivateKey, - encodedSessionTranscript: getSessionTranscriptBytes( + encodedSessionTranscript: await DeviceResponse.calculateSessionTranscriptForOID4VP({ + context: mdocContext, clientId, responseUri, verifierGeneratedNonce, - mdocGeneratedNonce - ), + mdocGeneratedNonce, + }), }, mdocContext ) @@ -152,12 +144,13 @@ describe('issuing a device response with MAC authentication', () => { encodedDeviceResponse, trustedCertificates: [new Uint8Array(new X509Certificate(ISSUER_CERTIFICATE).rawData)], ephemeralReaderKey: ephemeralPrivateKey, - encodedSessionTranscript: getSessionTranscriptBytes( - values.clientId, - values.responseUri, - values.verifierGeneratedNonce, - values.mdocGeneratedNonce - ), + encodedSessionTranscript: await DeviceResponse.calculateSessionTranscriptForOID4VP({ + context: mdocContext, + clientId: values.clientId, + responseUri: values.responseUri, + verifierGeneratedNonce: values.verifierGeneratedNonce, + mdocGeneratedNonce: values.mdocGeneratedNonce, + }), }, mdocContext ) @@ -194,15 +187,6 @@ describe('issuing a device response with MAC authentication', () => { const readerEngagementBytes = randomFillSync(Buffer.alloc(32)) const deviceEngagementBytes = randomFillSync(Buffer.alloc(32)) - const getSessionTranscriptBytes = (rdrEngtBytes: Buffer, devEngtBytes: Buffer, eRdrKeyBytes: Buffer) => - cborEncode( - DataItem.fromData([ - new DataItem({ buffer: devEngtBytes }), - new DataItem({ buffer: eRdrKeyBytes }), - rdrEngtBytes, - ]) - ) - beforeAll(async () => { // This is the verifier side before requesting the Device Response { @@ -238,11 +222,12 @@ describe('issuing a device response with MAC authentication', () => { trustedCertificates: [new Uint8Array(new X509Certificate(ISSUER_CERTIFICATE).rawData)], encodedDeviceResponse, ephemeralReaderKey: ephemeralPrivateKey, - encodedSessionTranscript: getSessionTranscriptBytes( + encodedSessionTranscript: await DeviceResponse.calculateSessionTranscriptForWebApi({ + context: mdocContext, readerEngagementBytes, deviceEngagementBytes, - eReaderKeyBytes - ), + eReaderKeyBytes, + }), }, mdocContext ) @@ -268,11 +253,12 @@ describe('issuing a device response with MAC authentication', () => { trustedCertificates: [new Uint8Array(new X509Certificate(ISSUER_CERTIFICATE).rawData)], encodedDeviceResponse, ephemeralReaderKey: ephemeralPrivateKey, - encodedSessionTranscript: getSessionTranscriptBytes( - values.readerEngagementBytes, - values.deviceEngagementBytes, - values.eReaderKeyBytes - ), + encodedSessionTranscript: await DeviceResponse.calculateSessionTranscriptForWebApi({ + context: mdocContext, + readerEngagementBytes: values.readerEngagementBytes, + deviceEngagementBytes: values.deviceEngagementBytes, + eReaderKeyBytes: values.eReaderKeyBytes, + }), }, mdocContext ) diff --git a/src/__tests__/issuing/device-response.tests.ts b/src/__tests__/issuing/device-response.tests.ts index 9bbaba4..526a682 100644 --- a/src/__tests__/issuing/device-response.tests.ts +++ b/src/__tests__/issuing/device-response.tests.ts @@ -107,7 +107,8 @@ describe('issuing a device response', () => { { trustedCertificates: [new Uint8Array(new X509Certificate(ISSUER_CERTIFICATE).rawData)], encodedDeviceResponse, - encodedSessionTranscript: DeviceResponse.calculateSessionTranscriptForOID4VP({ + encodedSessionTranscript: await DeviceResponse.calculateSessionTranscriptForOID4VP({ + context: mdocContext, clientId, responseUri, verifierGeneratedNonce, @@ -136,7 +137,8 @@ describe('issuing a device response', () => { { trustedCertificates: [new Uint8Array(new X509Certificate(ISSUER_CERTIFICATE).rawData)], encodedDeviceResponse, - encodedSessionTranscript: DeviceResponse.calculateSessionTranscriptForOID4VP({ + encodedSessionTranscript: await DeviceResponse.calculateSessionTranscriptForOID4VP({ + context: mdocContext, clientId: values.clientId, responseUri: values.responseUri, verifierGeneratedNonce: values.verifierGeneratedNonce, @@ -218,7 +220,8 @@ describe('issuing a device response', () => { { trustedCertificates: [new Uint8Array(new X509Certificate(ISSUER_CERTIFICATE).rawData)], encodedDeviceResponse, - encodedSessionTranscript: DeviceResponse.calculateSessionTranscriptForWebApi({ + encodedSessionTranscript: await DeviceResponse.calculateSessionTranscriptForWebApi({ + context: mdocContext, readerEngagementBytes, deviceEngagementBytes, eReaderKeyBytes, @@ -246,11 +249,12 @@ describe('issuing a device response', () => { { trustedCertificates: [new Uint8Array(new X509Certificate(ISSUER_CERTIFICATE).rawData)], encodedDeviceResponse, - encodedSessionTranscript: getSessionTranscriptBytes( - values.readerEngagementBytes, - values.deviceEngagementBytes, - values.eReaderKeyBytes - ), + encodedSessionTranscript: await DeviceResponse.calculateSessionTranscriptForWebApi({ + context: mdocContext, + readerEngagementBytes: values.readerEngagementBytes, + deviceEngagementBytes: values.deviceEngagementBytes, + eReaderKeyBytes: values.eReaderKeyBytes, + }), }, mdocContext ) @@ -328,7 +332,8 @@ describe('issuing a device response', () => { { trustedCertificates: [new Uint8Array(new X509Certificate(ISSUER_CERTIFICATE).rawData)], encodedDeviceResponse, - encodedSessionTranscript: DeviceResponse.calculateSessionTranscriptForWebApi({ + encodedSessionTranscript: await DeviceResponse.calculateSessionTranscriptForWebApi({ + context: mdocContext, readerEngagementBytes, deviceEngagementBytes, eReaderKeyBytes, diff --git a/src/mdoc/model/device-response.ts b/src/mdoc/model/device-response.ts index 47c5635..1db8116 100644 --- a/src/mdoc/model/device-response.ts +++ b/src/mdoc/model/device-response.ts @@ -28,6 +28,10 @@ import { import type { InputDescriptor, PresentationDefinition } from './presentation-definition.js' import type { DeviceAuth, DeviceSigned, MacSupportedAlgs, SupportedAlgs } from './types.js' +type SessionTranscriptCallback = (context: { + crypto: MdocContext['crypto'] +}) => Promise + /** * A builder class for creating a device response. */ @@ -36,6 +40,7 @@ export class DeviceResponse { private pd?: PresentationDefinition private deviceRequest?: DeviceRequest private sessionTranscriptBytes?: Uint8Array + private sessionTranscriptCallback?: SessionTranscriptCallback private useMac = true private devicePrivateKey?: JWK public nameSpaces: Map> = new Map() @@ -110,7 +115,7 @@ export class DeviceResponse { * @returns {DeviceResponse} */ public usingSessionTranscriptBytes(sessionTranscriptBytes: Uint8Array): DeviceResponse { - if (this.sessionTranscriptBytes) { + if (this.sessionTranscriptBytes || this.sessionTranscriptCallback) { throw new Error( 'A session transcript has already been set, either with .usingSessionTranscriptForOID4VP, .usingSessionTranscriptForWebAPI or .usingSessionTranscriptBytes' ) @@ -119,8 +124,19 @@ export class DeviceResponse { return this } + private usingSessionTranscriptCallback(sessionTranscriptCallback: SessionTranscriptCallback): DeviceResponse { + if (this.sessionTranscriptBytes || this.sessionTranscriptCallback) { + throw new Error( + 'A session transcript has already been set, either with .usingSessionTranscriptForOID4VP, .usingSessionTranscriptForWebAPI or .usingSessionTranscriptBytes' + ) + } + + this.sessionTranscriptCallback = sessionTranscriptCallback + return this + } + /** - * Set the session transcript data to use for the device response as defined in ISO/IEC 18013-7 in Annex B (OID4VP), 2023 draft. + * Set the session transcript data to use for the device response as defined in ISO/IEC 18013-7 in Annex B (OID4VP), 2024 draft. * * This should match the session transcript as it will be calculated by the verifier. * @@ -136,30 +152,44 @@ export class DeviceResponse { responseUri: string verifierGeneratedNonce: string }): DeviceResponse { - const bytes = DeviceResponse.calculateSessionTranscriptForOID4VP(input) - this.usingSessionTranscriptBytes(bytes) + this.usingSessionTranscriptCallback((context) => + DeviceResponse.calculateSessionTranscriptForOID4VP({ ...input, context }) + ) return this } - public static calculateSessionTranscriptForOID4VP(input: { + public static async calculateSessionTranscriptForOID4VP(input: { + context: { + crypto: MdocContext['crypto'] + } mdocGeneratedNonce: string clientId: string responseUri: string verifierGeneratedNonce: string }) { - const { mdocGeneratedNonce, clientId, responseUri, verifierGeneratedNonce } = input + const { mdocGeneratedNonce, clientId, responseUri, verifierGeneratedNonce, context } = input return cborEncode( DataItem.fromData([ null, // deviceEngagementBytes null, // eReaderKeyBytes - [mdocGeneratedNonce, clientId, responseUri, verifierGeneratedNonce], + [ + await context.crypto.digest({ + digestAlgorithm: 'SHA-256', + bytes: cborEncode([clientId, mdocGeneratedNonce]), + }), + await context.crypto.digest({ + digestAlgorithm: 'SHA-256', + bytes: cborEncode([responseUri, mdocGeneratedNonce]), + }), + verifierGeneratedNonce, + ], ]) ) } /** - * Set the session transcript data to use for the device response as defined in ISO/IEC 18013-7 in Annex A (Web API), 2023 draft. + * Set the session transcript data to use for the device response as defined in ISO/IEC 18013-7 in Annex A (Web API), 2024 draft. * * This should match the session transcript as it will be calculated by the verifier. * @@ -173,23 +203,32 @@ export class DeviceResponse { readerEngagementBytes: Uint8Array eReaderKeyBytes: Uint8Array }): DeviceResponse { - const bytes = DeviceResponse.calculateSessionTranscriptForWebApi(input) - this.usingSessionTranscriptBytes(bytes) + this.usingSessionTranscriptCallback((context) => + DeviceResponse.calculateSessionTranscriptForWebApi({ ...input, context }) + ) return this } - public static calculateSessionTranscriptForWebApi(input: { + public static async calculateSessionTranscriptForWebApi(input: { + context: { + crypto: MdocContext['crypto'] + } deviceEngagementBytes: Uint8Array readerEngagementBytes: Uint8Array eReaderKeyBytes: Uint8Array }) { - const { deviceEngagementBytes, eReaderKeyBytes, readerEngagementBytes } = input + const { deviceEngagementBytes, eReaderKeyBytes, readerEngagementBytes, context } = input + + const readerEngagementBytesHash = await context.crypto.digest({ + bytes: readerEngagementBytes, + digestAlgorithm: 'SHA-256', + }) return cborEncode( DataItem.fromData([ new DataItem({ buffer: deviceEngagementBytes }), new DataItem({ buffer: eReaderKeyBytes }), - readerEngagementBytes, + readerEngagementBytesHash, ]) ) } @@ -252,7 +291,14 @@ export class DeviceResponse { ) } - if (!this.sessionTranscriptBytes) { + // Calculate session transcript bytes if not calculated previously yet + if (!this.sessionTranscriptBytes && this.sessionTranscriptCallback) { + this.sessionTranscriptBytes = await this.sessionTranscriptCallback(ctx) + this.sessionTranscriptCallback = undefined + } + + const sessionTranscriptBytes = this.sessionTranscriptBytes + if (!sessionTranscriptBytes) { throw new Error( 'Must provide the session transcript with either .usingSessionTranscriptForOID4VP, .usingSessionTranscriptForWebAPI or .usingSessionTranscriptBytes' ) @@ -279,7 +325,7 @@ export class DeviceResponse { nameSpaces: disclosedNameSpaces, issuerAuth: mdoc.issuerSigned.issuerAuth, }, - await this.getDeviceSigned(mdoc.docType, ctx) + await this.getDeviceSigned(mdoc.docType, sessionTranscriptBytes, ctx) ) }) ) @@ -289,24 +335,21 @@ export class DeviceResponse { private async getDeviceSigned( docType: string, + sessionTranscriptBytes: Uint8Array, ctx: { cose: MdocContext['cose'] crypto: MdocContext['crypto'] } ): Promise { const deviceAuthenticationBytes = calculateDeviceAutenticationBytes( - this.sessionTranscriptBytes, + sessionTranscriptBytes, docType, this.nameSpaces ) let deviceAuth: DeviceAuth if (this.useMac) { - if (!this.sessionTranscriptBytes) { - throw new Error('Missing sessionTranscriptBytes for getDeviceSigned') - } - - deviceAuth = await this.getDeviceAuthMac(deviceAuthenticationBytes, this.sessionTranscriptBytes, ctx) + deviceAuth = await this.getDeviceAuthMac(deviceAuthenticationBytes, sessionTranscriptBytes, ctx) } else { deviceAuth = await this.getDeviceAuthSign(deviceAuthenticationBytes, ctx) } diff --git a/src/mdoc/verifier.ts b/src/mdoc/verifier.ts index 9d8641e..92e3ed3 100644 --- a/src/mdoc/verifier.ts +++ b/src/mdoc/verifier.ts @@ -235,7 +235,7 @@ export class Verifier { ? ephemeralPrivateKey : COSEKeyToRAW(COSEKey.fromJWK(ephemeralPrivateKey).encode()), publicKey: deviceKeyRaw, - sessionTranscriptBytes: sessionTranscriptBytes, + sessionTranscriptBytes, }) const isValid = await ctx.cose.mac0.verify({