WIP

Author: nanderstabel

oid4vc-core/src/client_metadata.rs

@@ -1,5 +1,6 @@
 use serde::{Deserialize, Serialize};
 use serde_with::skip_serializing_none;
+use std::collections::HashMap;
 use url::Url;
 
 /// [`ClientMetadata`] is a request parameter used by a [`crate::RelyingParty`] to communicate its capabilities to a
@@ -16,6 +17,8 @@ pub enum ClientMetadataResource<T = ()> {
         /// expanded with Extensions and profiles.
         #[serde(flatten)]
         extension: T,
+        #[serde(flatten, skip_serializing_if = "HashMap::is_empty")]
+        other: HashMap<String, serde_json::Value>,
     },
     ClientMetadataUri(String),
 }

oid4vc-core/src/openid4vc_extension.rs

@@ -43,6 +43,13 @@ pub trait Extension: Serialize + PartialEq + Sized + std::fmt::Debug + Clone + S
         async { Err(anyhow::anyhow!("Not implemented.")) }
     }
 
+    fn get_relying_party_supported_syntax_types(
+        _authorization_request: &<Self::RequestHandle as RequestHandle>::Parameters,
+    ) -> impl Future<Output = anyhow::Result<Vec<SubjectSyntaxType>>> {
+        // Will be overwritten by the extension.
+        async { Err(anyhow::anyhow!("Not implemented.")) }
+    }
+
     fn build_authorization_response(
         _jwts: Vec<String>,
         _user_input: <Self::ResponseHandle as ResponseHandle>::Input,

oid4vc-core/src/subject_syntax_type.rs

@@ -40,6 +40,14 @@ impl TryFrom<&str> for SubjectSyntaxType {
     }
 }
 
+impl TryFrom<String> for SubjectSyntaxType {
+    type Error = anyhow::Error;
+
+    fn try_from(value: String) -> Result<Self, Self::Error> {
+        SubjectSyntaxType::from_str(value.as_str())
+    }
+}
+
 impl From<DidMethod> for SubjectSyntaxType {
     fn from(did_method: DidMethod) -> Self {
         SubjectSyntaxType::Did(did_method)

oid4vc-manager/src/managers/provider.rs

@@ -18,18 +18,36 @@ pub struct ProviderManager {
 impl ProviderManager {
     pub fn new(
         subject: Arc<dyn Subject>,
-        default_subject_syntax_type: impl TryInto<SubjectSyntaxType>,
+        supported_subject_syntax_types: Vec<impl TryInto<SubjectSyntaxType>>,
         supported_signing_algorithms: Vec<Algorithm>,
     ) -> Result<Self> {
         Ok(Self {
-            provider: Provider::new(subject, default_subject_syntax_type, supported_signing_algorithms)?,
+            provider: Provider::new(subject, supported_subject_syntax_types, supported_signing_algorithms)?,
         })
     }
 
     pub async fn validate_request(&self, authorization_request: String) -> Result<AuthorizationRequest<Object>> {
         self.provider.validate_request(authorization_request).await
     }
 
+    pub async fn get_matching_signing_algorithm<E: Extension>(
+        &self,
+        authorization_request: &AuthorizationRequest<Object<E>>,
+    ) -> Result<Algorithm> {
+        self.provider
+            .get_matching_signing_algorithm(authorization_request)
+            .await
+    }
+
+    pub async fn get_matching_subject_syntax_type<E: Extension>(
+        &self,
+        authorization_request: &AuthorizationRequest<Object<E>>,
+    ) -> Result<SubjectSyntaxType> {
+        self.provider
+            .get_matching_subject_syntax_type(authorization_request)
+            .await
+    }
+
     pub async fn generate_response<E: Extension + OpenID4VC>(
         &self,
         authorization_request: &AuthorizationRequest<Object<E>>,
@@ -45,7 +63,7 @@ impl ProviderManager {
         self.provider.send_response(authorization_response).await
     }
 
-    pub fn default_subject_syntax_type(&self) -> &SubjectSyntaxType {
-        &self.provider.default_subject_syntax_type
+    pub fn default_subject_syntax_types(&self) -> &Vec<SubjectSyntaxType> {
+        &self.provider.supported_subject_syntax_types
     }
 }

oid4vc-manager/src/methods/key_method.rs

@@ -123,7 +123,8 @@ mod tests {
         let subject = KeySubject::new();
 
         // Create a new provider manager.
-        let provider_manager = ProviderManager::new(Arc::new(subject), "did:key", vec![Algorithm::EdDSA]).unwrap();
+        let provider_manager =
+            ProviderManager::new(Arc::new(subject), vec!["did:key"], vec![Algorithm::EdDSA]).unwrap();
 
         // Get a new SIOP authorization_request with response mode `direct_post` for cross-device communication.
         let request_url = "\

oid4vc-manager/tests/oid4vci/authorization_code.rs

@@ -42,7 +42,7 @@ async fn test_authorization_code_flow() {
     let subject_did = subject.identifier("did:key", Algorithm::EdDSA).await.unwrap();
 
     // Create a new wallet.
-    let wallet: Wallet = Wallet::new(Arc::new(subject), "did:key", vec![Algorithm::EdDSA]).unwrap();
+    let wallet: Wallet = Wallet::new(Arc::new(subject), vec!["did:key"], vec![Algorithm::EdDSA]).unwrap();
 
     // Get the credential issuer url.
     let credential_issuer_url = credential_issuer

oid4vc-manager/tests/oid4vci/pre_authorized_code.rs

@@ -46,7 +46,7 @@ async fn test_pre_authorized_code_flow(#[case] batch: bool, #[case] by_reference
     let subject_did = subject.identifier("did:key", Algorithm::EdDSA).await.unwrap();
 
     // Create a new wallet.
-    let wallet: Wallet = Wallet::new(Arc::new(subject), "did:key", vec![Algorithm::EdDSA]).unwrap();
+    let wallet: Wallet = Wallet::new(Arc::new(subject), vec!["did:key"], vec![Algorithm::EdDSA]).unwrap();
 
     // Get the credential offer url.
     let credential_offer_query = credential_issuer

oid4vc-manager/tests/oid4vp/implicit.rs

@@ -19,7 +19,7 @@ use oid4vp::{
     ClaimFormatDesignation, ClaimFormatProperty, PresentationDefinition,
 };
 use serde_json::json;
-use std::sync::Arc;
+use std::{collections::HashMap, sync::Arc};
 
 lazy_static! {
     pub static ref PRESENTATION_DEFINITION: PresentationDefinition = serde_json::from_value(json!(
@@ -109,13 +109,17 @@ async fn test_implicit_flow() {
                 .into_iter()
                 .collect(),
             },
+            other: HashMap::from_iter(vec![(
+                "subject_syntax_types_supported".to_string(),
+                json!(vec!["did:key".to_string(),]),
+            )]),
         })
         .nonce("nonce".to_string())
         .build()
         .unwrap();
 
     // Create a provider manager and validate the authorization request.
-    let provider_manager = ProviderManager::new(subject, "did:key", vec![Algorithm::EdDSA]).unwrap();
+    let provider_manager = ProviderManager::new(subject, vec!["did:key"], vec![Algorithm::EdDSA]).unwrap();
 
     // Create a new verifiable credential.
     let verifiable_credential = VerifiableCredentialJwt::builder()

oid4vc-manager/tests/siopv2/implicit.rs

@@ -141,6 +141,7 @@ async fn test_implicit_flow(#[case] did_method: &str) {
                 subject_syntax_types_supported: vec![SubjectSyntaxType::Did(DidMethod::from_str(did_method).unwrap())],
                 id_token_signed_response_alg: Some(Algorithm::EdDSA),
             },
+            other: Default::default(),
         })
         .claims(
             r#"{
@@ -185,7 +186,7 @@ async fn test_implicit_flow(#[case] did_method: &str) {
     };
 
     // Create a new provider manager.
-    let provider_manager = ProviderManager::new(Arc::new(subject), did_method, vec![Algorithm::EdDSA]).unwrap();
+    let provider_manager = ProviderManager::new(Arc::new(subject), vec![did_method], vec![Algorithm::EdDSA]).unwrap();
 
     // Create a new RequestUrl which includes a `request_uri` pointing to the mock server's `request_uri` endpoint.
     let authorization_request = AuthorizationRequest::<ByReference> {

oid4vci/src/wallet/mod.rs

@@ -1,3 +1,5 @@
+use std::str::FromStr;
+
 use crate::authorization_details::AuthorizationDetailsObject;
 use crate::authorization_request::AuthorizationRequest;
 use crate::authorization_response::AuthorizationResponse;
@@ -11,7 +13,7 @@ use crate::credential_request::{BatchCredentialRequest, CredentialRequest};
 use crate::credential_response::BatchCredentialResponse;
 use crate::proof::{KeyProofType, ProofType};
 use crate::{credential_response::CredentialResponse, token_request::TokenRequest, token_response::TokenResponse};
-use anyhow::Result;
+use anyhow::{anyhow, Result};
 use jsonwebtoken::Algorithm;
 use oid4vc_core::authentication::subject::SigningSubject;
 use oid4vc_core::SubjectSyntaxType;
@@ -26,7 +28,7 @@ where
     CFC: CredentialFormatCollection,
 {
     pub subject: SigningSubject,
-    pub default_subject_syntax_type: SubjectSyntaxType,
+    pub supported_subject_syntax_types: Vec<SubjectSyntaxType>,
     pub client: ClientWithMiddleware,
     pub proof_signing_alg_values_supported: Vec<Algorithm>,
     phantom: std::marker::PhantomData<CFC>,
@@ -35,7 +37,7 @@ where
 impl<CFC: CredentialFormatCollection + DeserializeOwned> Wallet<CFC> {
     pub fn new(
         subject: SigningSubject,
-        default_subject_syntax_type: impl TryInto<SubjectSyntaxType>,
+        supported_subject_syntax_types: Vec<impl TryInto<SubjectSyntaxType>>,
         proof_signing_alg_values_supported: Vec<Algorithm>,
     ) -> anyhow::Result<Self> {
         let retry_policy = ExponentialBackoff::builder().build_with_max_retries(5);
@@ -44,9 +46,14 @@ impl<CFC: CredentialFormatCollection + DeserializeOwned> Wallet<CFC> {
             .build();
         Ok(Self {
             subject,
-            default_subject_syntax_type: default_subject_syntax_type
-                .try_into()
-                .map_err(|_| anyhow::anyhow!("Invalid did method"))?,
+            supported_subject_syntax_types: supported_subject_syntax_types
+                .into_iter()
+                .map(|subject_syntax_type| {
+                    subject_syntax_type
+                        .try_into()
+                        .map_err(|_| anyhow::anyhow!("Invalid did method."))
+                })
+                .collect::<Result<_>>()?,
             client,
             proof_signing_alg_values_supported,
             phantom: std::marker::PhantomData,
@@ -121,7 +128,11 @@ impl<CFC: CredentialFormatCollection + DeserializeOwned> Wallet<CFC> {
                 client_id: self
                     .subject
                     .identifier(
-                        &self.default_subject_syntax_type.to_string(),
+                        &self
+                            .supported_subject_syntax_types
+                            .first()
+                            .map(ToString::to_string)
+                            .ok_or(anyhow!("No supported subject syntax types found."))?,
                         self.proof_signing_alg_values_supported[0],
                     )
                     .await?,
@@ -163,6 +174,22 @@ impl<CFC: CredentialFormatCollection + DeserializeOwned> Wallet<CFC> {
             ))?
             .proof_signing_alg_values_supported;
 
+        let credential_issuer_cryptographic_binding_methods_supported: Vec<SubjectSyntaxType> =
+            credential_configuration
+                .cryptographic_binding_methods_supported
+                .iter()
+                .filter_map(|binding_method| SubjectSyntaxType::from_str(binding_method).ok())
+                .collect();
+
+        let subject_syntax_type = self
+            .supported_subject_syntax_types
+            .iter()
+            .find(|supported_syntax_type| {
+                credential_issuer_cryptographic_binding_methods_supported.contains(supported_syntax_type)
+            })
+            .or(self.supported_subject_syntax_types.first())
+            .ok_or(anyhow::anyhow!("No supported subject syntax types found."))?;
+
         let signing_algorithm = self
             .proof_signing_alg_values_supported
             .iter()
@@ -179,10 +206,11 @@ impl<CFC: CredentialFormatCollection + DeserializeOwned> Wallet<CFC> {
                     .signer(self.subject.clone())
                     .iss(
                         self.subject
-                            .identifier(&self.default_subject_syntax_type.to_string(), *signing_algorithm)
+                            .identifier(&subject_syntax_type.to_string(), *signing_algorithm)
                             .await?,
                     )
                     .aud(credential_issuer_metadata.credential_issuer)
+                    // TODO: Use current time.
                     .iat(1571324800)
                     // TODO: so is this REQUIRED or OPTIONAL?
                     .nonce(
@@ -192,7 +220,7 @@ impl<CFC: CredentialFormatCollection + DeserializeOwned> Wallet<CFC> {
                             .ok_or(anyhow::anyhow!("No c_nonce found."))?
                             .clone(),
                     )
-                    .subject_syntax_type(self.default_subject_syntax_type.to_string())
+                    .subject_syntax_type(&subject_syntax_type.to_string())
                     .build()
                     .await?,
             ),
@@ -226,6 +254,24 @@ impl<CFC: CredentialFormatCollection + DeserializeOwned> Wallet<CFC> {
             ))?
             .proof_signing_alg_values_supported;
 
+        let credential_issuer_cryptographic_binding_methods_supported: Vec<SubjectSyntaxType> =
+            credential_configurations
+                .first()
+                .ok_or(anyhow::anyhow!("No credential configurations found."))?
+                .cryptographic_binding_methods_supported
+                .iter()
+                .filter_map(|binding_method| SubjectSyntaxType::from_str(binding_method).ok())
+                .collect();
+
+        let subject_syntax_type = self
+            .supported_subject_syntax_types
+            .iter()
+            .find(|supported_syntax_type| {
+                credential_issuer_cryptographic_binding_methods_supported.contains(supported_syntax_type)
+            })
+            .or(self.supported_subject_syntax_types.first())
+            .ok_or(anyhow::anyhow!("No supported subject syntax types found."))?;
+
         let signing_algorithm = self
             .proof_signing_alg_values_supported
             .iter()
@@ -241,10 +287,11 @@ impl<CFC: CredentialFormatCollection + DeserializeOwned> Wallet<CFC> {
                 .signer(self.subject.clone())
                 .iss(
                     self.subject
-                        .identifier(&self.default_subject_syntax_type.to_string(), *signing_algorithm)
+                        .identifier(&subject_syntax_type.to_string(), *signing_algorithm)
                         .await?,
                 )
                 .aud(credential_issuer_metadata.credential_issuer)
+                // TODO: Use current time.
                 .iat(1571324800)
                 // TODO: so is this REQUIRED or OPTIONAL?
                 .nonce(
@@ -254,7 +301,7 @@ impl<CFC: CredentialFormatCollection + DeserializeOwned> Wallet<CFC> {
                         .ok_or(anyhow::anyhow!("No c_nonce found."))?
                         .clone(),
                 )
-                .subject_syntax_type(self.default_subject_syntax_type.to_string())
+                .subject_syntax_type(subject_syntax_type.to_string())
                 .build()
                 .await?,
         );

oid4vp/src/authorization_request.rs

@@ -222,7 +222,8 @@ mod tests {
                         ]
                         .into_iter()
                         .collect()
-                    }
+                    },
+                    other: HashMap::from_iter(vec![("application_type".to_string(), serde_json::json!("web"))]),
                 }),
             },
             json_example::<ExampleAuthorizationRequest>("tests/examples/client_metadata/client_client_id_did.json")

oid4vp/src/oid4vp.rs

@@ -21,6 +21,7 @@ use reqwest_middleware::ClientBuilder;
 use reqwest_retry::policies::ExponentialBackoff;
 use reqwest_retry::RetryTransientMiddleware;
 use serde::{Deserialize, Serialize};
+use std::str::FromStr;
 use std::sync::Arc;
 
 /// This is the [`RequestHandle`] for the [`OID4VP`] extension.
@@ -121,6 +122,48 @@ impl Extension for OID4VP {
         }
     }
 
+    async fn get_relying_party_supported_syntax_types(
+        authorization_request: &<Self::RequestHandle as RequestHandle>::Parameters,
+    ) -> anyhow::Result<Vec<SubjectSyntaxType>> {
+        let client_metadata = match &authorization_request.client_metadata {
+            ClientMetadataResource::ClientMetadataUri(client_metadata_uri) => {
+                let retry_policy = ExponentialBackoff::builder().build_with_max_retries(5);
+                let client = ClientBuilder::new(reqwest::Client::new())
+                    .with(RetryTransientMiddleware::new_with_policy(retry_policy))
+                    .build();
+                let client_metadata: ClientMetadataResource<ClientMetadataParameters> =
+                    client.get(client_metadata_uri).send().await?.json().await?;
+                client_metadata
+            }
+            client_metadata => client_metadata.clone(),
+        };
+
+        match client_metadata {
+            ClientMetadataResource::ClientMetadataUri(_) => unreachable!(),
+            ClientMetadataResource::ClientMetadata { other, .. } => {
+                let subject_syntax_types_supported: Vec<SubjectSyntaxType> = other
+                    .get("subject_syntax_types_supported")
+                    .and_then(|subject_syntax_types_supported| {
+                        subject_syntax_types_supported
+                            .as_array()
+                            .and_then(|subject_syntax_types_supported| {
+                                subject_syntax_types_supported
+                                    .into_iter()
+                                    .map(|subject_syntax_type| {
+                                        subject_syntax_type.as_str().map(|subject_syntax_type| {
+                                            SubjectSyntaxType::from_str(subject_syntax_type).unwrap()
+                                        })
+                                    })
+                                    .collect()
+                            })
+                    })
+                    .unwrap_or_default();
+
+                Ok(subject_syntax_types_supported)
+            }
+        }
+    }
+
     fn build_authorization_response(
         jwts: Vec<String>,
         user_input: <Self::ResponseHandle as ResponseHandle>::Input,

siopv2/Cargo.toml

@@ -31,6 +31,7 @@ serde_urlencoded = "0.7.1"
 serde_with.workspace = true
 tokio.workspace = true
 url = { version = "2.3.1", features = ["serde"] }
+log = "0.4"
 
 [dev-dependencies]
 oid4vc-core = { path = "../oid4vc-core", features = ["test-utils"] }