Implement RP authentication (#323)

* add decoding of registration certificate

Signed-off-by: kenkosmowski <ken.kosmowski@gmx.de>

* parse registration certificate attachments in authorization request

Signed-off-by: kenkosmowski <ken.kosmowski@gmx.de>

* parse x5c in auth request attachment

Signed-off-by: kenkosmowski <ken.kosmowski@gmx.de>

* adjust parsing of registration certificate

Signed-off-by: kenkosmowski <ken.kosmowski@gmx.de>

* validate registration certificate

Signed-off-by: kenkosmowski <ken.kosmowski@gmx.de>

* use new registration certificate format

Signed-off-by: kenkosmowski <ken.kosmowski@gmx.de>

* add tests for registration certificate validation

Signed-off-by: kenkosmowski <ken.kosmowski@gmx.de>

* implement rp auth

Signed-off-by: Kevin <kevin.dinh@lissi.id>

---------

Signed-off-by: kenkosmowski <ken.kosmowski@gmx.de>
Signed-off-by: Kevin <kevin.dinh@lissi.id>
Co-authored-by: kenkosmowski <ken.kosmowski@gmx.de>

Author: Dindexx

test/WalletFramework.SdJwtVc.Tests/StatusListTests.cs renamed to src/WalletFramework.Core.Tests/StatusList/StatusListTests.cs

@@ -2,10 +2,10 @@
 using Moq;
 using Moq.Protected;
 using WalletFramework.Core.Credentials;
-using WalletFramework.SdJwtVc.Models.StatusList;
-using WalletFramework.SdJwtVc.Services;
+using WalletFramework.Core.StatusList;
+using Xunit;
 
-namespace WalletFramework.SdJwtVc.Tests;
+namespace WalletFramework.Core.Tests.StatusList;
 
 public class StatusListTests
 {

src/WalletFramework.Core.Tests/WalletFramework.Core.Tests.csproj

@@ -11,6 +11,7 @@
     <ItemGroup>
         <PackageReference Include="FluentAssertions" Version="6.12.0" />
         <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.1.0"/>
+        <PackageReference Include="Moq" Version="$(MoqVersion)" />
         <PackageReference Include="xunit" Version="2.9.0" />
         <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

src/WalletFramework.SdJwtVc/Services/IStatusListService.cs renamed to src/WalletFramework.Core/StatusList/IStatusListService.cs

@@ -1,8 +1,7 @@
 using LanguageExt;
 using WalletFramework.Core.Credentials;
-using WalletFramework.SdJwtVc.Models.StatusList;
 
-namespace WalletFramework.SdJwtVc.Services;
+namespace WalletFramework.Core.StatusList;
 
 public interface IStatusListService
 {

src/WalletFramework.Core/StatusList/StatusListEntry.cs

@@ -0,0 +1,53 @@
+using Newtonsoft.Json.Linq;
+using WalletFramework.Core.Functional;
+using WalletFramework.Core.Functional.Errors;
+using WalletFramework.Core.Json;
+using static WalletFramework.Core.StatusList.StatusListEntryFun;
+
+namespace WalletFramework.Core.StatusList;
+
+public record StatusListEntry(int Idx, string Uri)
+{
+    public static Validation<StatusListEntry> FromJObject(JObject json)
+    {
+        var idx = json.GetByKey(IdxJsonKey)
+            .OnSuccess(token => token.ToJValue())
+            .OnSuccess(jValue =>
+            {
+                var value = jValue.Value?.ToString();
+                if (string.IsNullOrWhiteSpace(value) || !int.TryParse(value, out var idx))
+                {
+                    return new StringIsNullOrWhitespaceError<StatusListEntry>();
+                }
+
+                return ValidationFun.Valid(idx);
+            });
+
+        var uri = json.GetByKey(UriJsonKey)
+            .OnSuccess(token => token.ToJValue())
+            .OnSuccess(value =>
+            {
+                if (string.IsNullOrWhiteSpace(value.Value?.ToString()))
+                {
+                    return new StringIsNullOrWhitespaceError<StatusListEntry>();
+                }
+
+                return ValidationFun.Valid(value.Value.ToString());;
+            });
+
+        return ValidationFun.Valid(Create)
+            .Apply(idx)
+            .Apply(uri);
+    }
+    
+    private static StatusListEntry Create(
+        int idx,
+        string uri) =>
+        new(idx, uri);
+}
+
+public static class StatusListEntryFun
+{
+    public const string IdxJsonKey = "idx";
+    public const string UriJsonKey = "uri";
+}

src/WalletFramework.SdJwtVc/Services/StatusListService.cs renamed to src/WalletFramework.Core/StatusList/StatusListService.cs

@@ -7,9 +7,8 @@
 using WalletFramework.Core.Credentials;
 using WalletFramework.Core.Functional;
 using WalletFramework.Core.Json;
-using WalletFramework.SdJwtVc.Models.StatusList;
 
-namespace WalletFramework.SdJwtVc.Services;
+namespace WalletFramework.Core.StatusList;
 
 public class StatusListService(IHttpClientFactory httpClientFactory) : IStatusListService
 {

src/WalletFramework.Core/WalletFramework.Core.csproj

@@ -7,9 +7,11 @@
     <ItemGroup>
       <PackageReference Include="jose-jwt" Version="5.0.0" />
       <PackageReference Include="LanguageExt.Core" Version="4.4.9" />
+      <PackageReference Include="Microsoft.Extensions.Http" Version="3.1.5" />
       <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="8.0.1" />
       <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
       <PackageReference Include="OneOf" Version="3.0.271" />
       <PackageReference Include="Portable.BouncyCastle" Version="1.9.0" />
+        <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.5.2" />
     </ItemGroup>
 </Project>

src/WalletFramework.Core/X509/X509CertificateExtensions.cs

@@ -1,4 +1,5 @@
 using System.Security.Cryptography.X509Certificates;
+using Org.BouncyCastle.Asn1;
 using Org.BouncyCastle.Pkix;
 using Org.BouncyCastle.Utilities.Collections;
 using Org.BouncyCastle.X509;
@@ -12,28 +13,57 @@ namespace WalletFramework.Core.X509;
 /// </summary>
 public static class X509CertificateExtensions
 {
+    public static string? GetAuthorityKeyId(this X509Certificate2 cert)
+    {
+        var authorityKeyIdentifier = cert.Extensions["2.5.29.35"];
+        if (authorityKeyIdentifier == null)
+            return null;
+
+        var asn1Object = new Asn1InputStream(authorityKeyIdentifier.RawData).ReadObject() as DerSequence;
+        var derTaggedObject = asn1Object?[0] as DerTaggedObject;
+        var hex = derTaggedObject?.GetObject().ToString().Trim('#');
+        return hex;
+    }
+    
+    public static string? GetSubjectKeyId(this X509Certificate2 cert)
+    {
+        const string subjectKeyIdentifierOid = "2.5.29.14";
+
+        var ext = cert.Extensions[subjectKeyIdentifierOid] as X509SubjectKeyIdentifierExtension;
+        return ext?.SubjectKeyIdentifier;
+    }
+    
+    public static bool IsSelfSigned(this X509Certificate certificate) =>
+        certificate.IssuerDN.Equivalent(certificate.SubjectDN);
+
     /// <summary>
     ///     Validates the trust chain of the certificate.
     /// </summary>
     /// <param name="trustChain">The trust chain to validate.</param>
     /// <returns>True if the trust chain is valid, otherwise false.</returns>
-    public static bool IsTrustChainValid(this List<X509Certificate> trustChain)
+    public static bool IsTrustChainValid(this IEnumerable<X509Certificate> trustChain)
     {
-        var leafCert = trustChain.First();
+        var chain = trustChain.ToList();
+        if (chain.Count == 1)
+        {
+            return true;
+        }
 
-        var subjects = trustChain.Select(cert => cert.SubjectDN); 
+        var leafCert = chain.First();
+
+        var subjects = chain.Select(cert => cert.SubjectDN);
         var rootCerts = new HashSet(
-            trustChain
+            chain
                 .Where(cert => cert.IsSelfSigned() || !subjects.Contains(cert.IssuerDN))
                 .Select(cert => new TrustAnchor(cert, null)));
 
         var intermediateCerts = new HashSet(
-            trustChain
+            chain
                 .Where(cert => !cert.IsSelfSigned())
                 .Append(leafCert));
 
         var storeSelector = new X509CertStoreSelector { Certificate = leafCert };
-        
+
         var builderParams = new PkixBuilderParameters(rootCerts, storeSelector)
         {
             //TODO: Check if CRLs (Certificate Revocation Lists) are valid
@@ -58,6 +88,6 @@ public static X509Certificate ToBouncyCastleX509Certificate(this X509Certificate
         return certParser.ReadCertificate(cert.GetRawCertData());
     }
 
-    public static bool IsSelfSigned(this X509Certificate certificate) => 
-        certificate.IssuerDN.Equivalent(certificate.SubjectDN);
+    public static X509Certificate2 ToSystemX509Certificate(this X509Certificate cert) =>
+        new(cert.GetEncoded());
 }

src/WalletFramework.Oid4Vc/Constants.cs

@@ -7,4 +7,6 @@ public static class Constants
     public const string SdJwtDcFormat = "dc+sd-jwt";
 
     public const string MdocFormat = "mso_mdoc";
+
+    public const string RegistrationCertificateFormat = "jwt";
 }

src/WalletFramework.Oid4Vc/CredentialSet/CredentialSetService.cs

@@ -1,8 +1,8 @@
 using Hyperledger.Aries.Storage;
 using LanguageExt;
 using WalletFramework.Core.Credentials;
+using WalletFramework.Core.StatusList;
 using WalletFramework.Oid4Vc.CredentialSet.Models;
-using WalletFramework.SdJwtVc.Services;
 
 namespace WalletFramework.Oid4Vc.CredentialSet;
 

src/WalletFramework.Oid4Vc/CredentialSet/Models/CredentialSetRecord.cs

@@ -6,13 +6,13 @@
 using WalletFramework.Core.Credentials;
 using WalletFramework.Core.Functional;
 using WalletFramework.Core.Json;
+using WalletFramework.Core.StatusList;
 using WalletFramework.Core.String;
 using WalletFramework.MdocLib;
 using WalletFramework.MdocVc;
 using WalletFramework.Oid4Vc.Oid4Vci.Issuer.Models;
 using WalletFramework.SdJwtVc.Models;
 using WalletFramework.SdJwtVc.Models.Records;
-using WalletFramework.SdJwtVc.Models.StatusList;
 using CredentialState = WalletFramework.Core.Credentials.CredentialState;
 
 namespace WalletFramework.Oid4Vc.CredentialSet.Models;