check OpenIDConfiguration signature with did keys and add test for htp client

test for OpenIDConfiguration server API

disable useless test

bug

more coverage

Author: woutslakhorst

auth/api/iam/api.go

@@ -639,7 +639,7 @@ func (r Wrapper) OpenIDConfiguration(ctx context.Context, request OpenIDConfigur
 	}
 	if !exists {
 		return nil, oauth.OAuth2Error{
-			Code:        "not_found",
+			Code:        oauth.InvalidRequest,
 			Description: "subject not found",
 		}
 	}
@@ -680,22 +680,8 @@ func (r Wrapper) OpenIDConfiguration(ctx context.Context, request OpenIDConfigur
 	// we sign with a JWK, the receiving party can verify with the signature but not if the key corresponds to the DID since the DID method might not be supported.
 	// this is a shortcoming of the openID federation vs OpenID4VP/DID worlds
 	// issuer URL equals server baseURL + :/oauth2/:subject
-	baseURL := r.auth.PublicURL()
-	if baseURL == nil {
-		return nil, oauth.OAuth2Error{
-			Code:        oauth.ServerError,
-			Description: "misconfiguration: missing public URL",
-		}
-	}
-	issuerURL, err := baseURL.Parse("/oauth2/" + request.Subject)
-	if err != nil {
-		return nil, oauth.OAuth2Error{
-			Code:          oauth.ServerError,
-			Description:   "internal server error",
-			InternalError: err,
-		}
-	}
-	configuration := openIDConfiguration(*issuerURL, set, r.vdr.SupportedMethods())
+	issuerURL := r.subjectToBaseURL(request.Subject)
+	configuration := openIDConfiguration(issuerURL, set, r.vdr.SupportedMethods())
 	claims := make(map[string]interface{})
 	asJson, _ := json.Marshal(configuration)
 	_ = json.Unmarshal(asJson, &claims)

auth/api/iam/api_test.go

@@ -26,9 +26,11 @@ import (
 	"fmt"
 	"github.com/nuts-foundation/nuts-node/core/to"
 	"github.com/nuts-foundation/nuts-node/crypto/storage/spi"
+	test2 "github.com/nuts-foundation/nuts-node/crypto/test"
 	"github.com/nuts-foundation/nuts-node/http/user"
 	"github.com/nuts-foundation/nuts-node/test"
 	"github.com/nuts-foundation/nuts-node/vdr/didsubject"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -121,6 +123,76 @@ func TestWrapper_GetOAuthClientMetadata(t *testing.T) {
 		assert.IsType(t, OAuthClientMetadata200JSONResponse{}, res)
 	})
 }
+
+func TestWrapper_OpenIDConfiguration(t *testing.T) {
+	testKey := test2.GenerateECKey()
+	t.Run("ok", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.keyResolver.EXPECT().ResolveKey(verifierDID, nil, resolver.AssertionMethod).Return("kid", testKey.Public(), nil)
+		ctx.jwtSigner.EXPECT().SignJWT(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(_ interface{}, claims interface{}, headers interface{}, kid interface{}) (string, error) {
+			asMap := claims.(map[string]interface{})
+			assert.Equal(t, "https://example.com/oauth2/verifier", asMap["iss"])
+			assert.Len(t, asMap["jwks"], 1)
+			return "token", nil
+		})
+
+		res, err := ctx.client.OpenIDConfiguration(nil, OpenIDConfigurationRequestObject{Subject: verifierSubject})
+
+		require.NoError(t, err)
+		assert.IsType(t, OpenIDConfiguration200ApplicationentityStatementJwtResponse{}, res)
+		successResponse := res.(OpenIDConfiguration200ApplicationentityStatementJwtResponse)
+		bodyBytes, err := io.ReadAll(successResponse.Body)
+		require.NoError(t, err)
+		assert.Equal(t, "token", string(bodyBytes))
+	})
+	t.Run("error - subject does not exist", func(t *testing.T) {
+		ctx := newTestClient(t)
+
+		res, err := ctx.client.OpenIDConfiguration(nil, OpenIDConfigurationRequestObject{Subject: unknownSubjectID})
+
+		requireOAuthError(t, err, oauth.InvalidRequest, "subject not found")
+		assert.Nil(t, res)
+	})
+	t.Run("error - subject exists returns error", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.subjectManager.EXPECT().Exists(gomock.Any(), "error").Return(false, assert.AnError)
+
+		res, err := ctx.client.OpenIDConfiguration(nil, OpenIDConfigurationRequestObject{Subject: "error"})
+
+		requireOAuthError(t, err, oauth.ServerError, "internal server error")
+		assert.Nil(t, res)
+	})
+	t.Run("error - subject existslist DIDs returns error", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.subjectManager.EXPECT().Exists(gomock.Any(), "error").Return(true, nil)
+		ctx.subjectManager.EXPECT().List(gomock.Any(), "error").Return(nil, assert.AnError)
+
+		res, err := ctx.client.OpenIDConfiguration(nil, OpenIDConfigurationRequestObject{Subject: "error"})
+
+		requireOAuthError(t, err, oauth.ServerError, "internal server error")
+		assert.Nil(t, res)
+	})
+	t.Run("error - key resolution error", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.keyResolver.EXPECT().ResolveKey(verifierDID, nil, resolver.AssertionMethod).Return("", nil, assert.AnError)
+
+		res, err := ctx.client.OpenIDConfiguration(nil, OpenIDConfigurationRequestObject{Subject: verifierSubject})
+
+		requireOAuthError(t, err, oauth.ServerError, "internal server error")
+		assert.Nil(t, res)
+	})
+	t.Run("error - signing error", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.keyResolver.EXPECT().ResolveKey(verifierDID, nil, resolver.AssertionMethod).Return("kid", testKey.Public(), nil)
+		ctx.jwtSigner.EXPECT().SignJWT(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return("", assert.AnError)
+
+		res, err := ctx.client.OpenIDConfiguration(nil, OpenIDConfigurationRequestObject{Subject: verifierSubject})
+
+		requireOAuthError(t, err, oauth.ServerError, "internal server error")
+		assert.Nil(t, res)
+	})
+}
+
 func TestWrapper_PresentationDefinition(t *testing.T) {
 	ctx := audit.TestContext()
 	walletOwnerMapping := pe.WalletOwnerMapping{pe.WalletOwnerOrganization: pe.PresentationDefinition{Id: "test"}}

auth/client/iam/client.go

@@ -23,11 +23,15 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"github.com/lestrrat-go/jwx/v2/jws"
 	"github.com/lestrrat-go/jwx/v2/jwt"
+	"github.com/nuts-foundation/nuts-node/crypto"
+	"github.com/nuts-foundation/nuts-node/vdr/resolver"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	"github.com/nuts-foundation/go-did/vc"
 	"github.com/nuts-foundation/nuts-node/auth/log"
@@ -38,8 +42,9 @@ import (
 
 // HTTPClient holds the server address and other basic settings for the http client
 type HTTPClient struct {
-	strictMode bool
-	httpClient core.HTTPRequestDoer
+	strictMode  bool
+	keyResolver resolver.KeyResolver
+	httpClient  core.HTTPRequestDoer
 }
 
 // OAuthAuthorizationServerMetadata retrieves the OAuth authorization server metadata for the given oauth issuer.
@@ -232,10 +237,8 @@ func (hb HTTPClient) OpenIDConfiguration(ctx context.Context, issuerURL string)
 		return nil, err
 	}
 	var configuration oauth.OpenIDConfiguration
-	request, err := http.NewRequestWithContext(ctx, http.MethodGet, metadataURL.String(), nil)
-	if err != nil {
-		return nil, err
-	}
+	// url already checked
+	request, _ := http.NewRequestWithContext(ctx, http.MethodGet, metadataURL.String(), nil)
 	response, err := hb.httpClient.Do(request.WithContext(ctx))
 	if err != nil {
 		return nil, fmt.Errorf("failed to call endpoint: %w", err)
@@ -247,8 +250,8 @@ func (hb HTTPClient) OpenIDConfiguration(ctx context.Context, issuerURL string)
 	if data, err = core.LimitedReadAll(response.Body); err != nil {
 		return nil, fmt.Errorf("unable to read response: %w", err)
 	}
-	// todo check kid against something? get keys from somewhere? (issuerURL to keys)
-	token, err := jwt.Parse(data, jwt.WithVerify(false))
+	// kid is checked against did resolver
+	token, err := jwt.Parse(data, jwt.WithKeyProvider(hb.KeyProvider()), jwt.WithAcceptableSkew(5*time.Second))
 	if err != nil {
 		return nil, fmt.Errorf("unable to parse response: %w", err)
 	}
@@ -259,13 +262,28 @@ func (hb HTTPClient) OpenIDConfiguration(ctx context.Context, issuerURL string)
 	// hack, broken iat
 	claims["iat"] = token.IssuedAt().Unix()
 	asJSON, _ := json.Marshal(claims)
-	println("TOKEN ", string(asJSON))
 	if err = json.Unmarshal(asJSON, &configuration); err != nil {
 		return nil, fmt.Errorf("unable to unmarshal response: %w", err)
 	}
 	return &configuration, err
 }
 
+func (hb HTTPClient) KeyProvider() jws.KeyProviderFunc {
+	return func(context context.Context, keySink jws.KeySink, signature *jws.Signature, message *jws.Message) error {
+		keyID := signature.ProtectedHeaders().KeyID()
+		publicKey, err := hb.keyResolver.ResolveKeyByID(keyID, nil, resolver.AssertionMethod)
+		if err != nil {
+			return fmt.Errorf("failed to resolve key (kid=%s): %w", keyID, err)
+		}
+		alg, err := crypto.SignatureAlgorithm(publicKey)
+		if err != nil {
+			return fmt.Errorf("failed to resolve key (kid=%s): %w", keyID, err)
+		}
+		keySink.Key(alg, publicKey)
+		return nil
+	}
+}
+
 // CredentialRequest represents ths request to fetch a credential, the JSON object holds the proof as
 // CredentialRequestProof.
 type CredentialRequest struct {

auth/client/iam/client_test.go

@@ -20,10 +20,21 @@ package iam
 
 import (
 	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"encoding/json"
+	"github.com/google/uuid"
+	"github.com/lestrrat-go/jwx/v2/jws"
+	"github.com/nuts-foundation/go-did/did"
+	"github.com/nuts-foundation/nuts-node/audit"
+	nutsCrypto "github.com/nuts-foundation/nuts-node/crypto"
+	test2 "github.com/nuts-foundation/nuts-node/crypto/test"
+	"github.com/nuts-foundation/nuts-node/vdr/resolver"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
+	"time"
 
 	ssi "github.com/nuts-foundation/go-did"
 	"github.com/nuts-foundation/go-did/vc"
@@ -173,6 +184,83 @@ func TestHTTPClient_ClientMetadata(t *testing.T) {
 	})
 }
 
+func TestHTTPClient_OpenIDConfiguration(t *testing.T) {
+	ctx := context.Background()
+	configuration := oauth.OpenIDConfiguration{
+		Issuer: "issuer",
+	}
+
+	// create jwt
+	createToken := func(t *testing.T, client *HTTPClient) string {
+		testKey := client.keyResolver.(testKeyResolver).key
+		claims := make(map[string]interface{})
+		asJson, _ := json.Marshal(configuration)
+		_ = json.Unmarshal(asJson, &claims)
+		alg, _ := nutsCrypto.SignatureAlgorithm(testKey.Public())
+		headers := map[string]interface{}{jws.AlgorithmKey: alg, jws.KeyIDKey: "test"}
+		token, err := nutsCrypto.SignJWT(audit.TestContext(), testKey, alg, claims, headers)
+		require.NoError(t, err)
+		return token
+	}
+
+	t.Run("ok", func(t *testing.T) {
+		handler := http2.Handler{StatusCode: http.StatusOK}
+		tlsServer, client := testServerAndClient(t, &handler)
+		handler.ResponseData = createToken(t, client)
+
+		response, err := client.OpenIDConfiguration(ctx, tlsServer.URL)
+
+		require.NoError(t, err)
+		require.NotNil(t, response)
+		assert.Equal(t, configuration, *response)
+		require.NotNil(t, handler.Request)
+	})
+	t.Run("error - invalid url", func(t *testing.T) {
+		handler := http2.Handler{StatusCode: http.StatusOK}
+		_, client := testServerAndClient(t, &handler)
+		handler.ResponseData = createToken(t, client)
+
+		_, err := client.OpenIDConfiguration(ctx, ":")
+
+		require.Error(t, err)
+		assert.EqualError(t, err, "parse \":\": missing protocol scheme")
+	})
+	t.Run("error - error return", func(t *testing.T) {
+		handler := http2.Handler{StatusCode: http.StatusInternalServerError}
+		tlsServer, client := testServerAndClient(t, &handler)
+
+		response, err := client.OpenIDConfiguration(ctx, tlsServer.URL)
+
+		require.Error(t, err)
+		require.Nil(t, response)
+		assert.EqualError(t, err, "server returned HTTP 500 (expected: 200)")
+	})
+	t.Run("error - not a signed jwt", func(t *testing.T) {
+		handler := http2.Handler{StatusCode: http.StatusOK, ResponseData: ""}
+		tlsServer, client := testServerAndClient(t, &handler)
+
+		response, err := client.OpenIDConfiguration(ctx, tlsServer.URL)
+
+		require.Error(t, err)
+		require.Nil(t, response)
+		assert.EqualError(t, err, "unable to parse response: failed to parse jws: invalid byte sequence")
+	})
+	t.Run("error - unknown key", func(t *testing.T) {
+		otherClient := &HTTPClient{
+			keyResolver: newTestKeyResolver(),
+		}
+		handler := http2.Handler{StatusCode: http.StatusOK}
+		tlsServer, client := testServerAndClient(t, &handler)
+		handler.ResponseData = createToken(t, otherClient)
+
+		response, err := client.OpenIDConfiguration(ctx, tlsServer.URL)
+
+		require.Error(t, err)
+		require.Nil(t, response)
+		assert.EqualError(t, err, "unable to parse response: could not verify message using any of the signatures or keys")
+	})
+}
+
 func TestHTTPClient_PostError(t *testing.T) {
 	redirectReturn := oauth.Redirect{
 		RedirectURI: "http://test.test",
@@ -299,13 +387,6 @@ func TestHTTPClient_RequestObjectPost(t *testing.T) {
 	})
 }
 
-func testServerAndClient(t *testing.T, handler http.Handler) (*httptest.Server, *HTTPClient) {
-	tlsServer := http2.TestTLSServer(t, handler)
-	return tlsServer, &HTTPClient{
-		httpClient: tlsServer.Client(),
-	}
-}
-
 func TestHTTPClient_doGet(t *testing.T) {
 	t.Run("error - non 200 return value", func(t *testing.T) {
 		handler := http2.Handler{StatusCode: http.StatusBadRequest}
@@ -333,3 +414,31 @@ func TestHTTPClient_doGet(t *testing.T) {
 		assert.Error(t, err)
 	})
 }
+
+func newTestKeyResolver() resolver.KeyResolver {
+	return testKeyResolver{
+		kid: uuid.NewString(),
+		key: test2.GenerateECKey(),
+	}
+}
+
+type testKeyResolver struct {
+	kid string
+	key *ecdsa.PrivateKey
+}
+
+func (t testKeyResolver) ResolveKeyByID(keyID string, validAt *time.Time, relationType resolver.RelationType) (crypto.PublicKey, error) {
+	return t.key.Public(), nil
+}
+
+func (t testKeyResolver) ResolveKey(id did.DID, validAt *time.Time, relationType resolver.RelationType) (string, crypto.PublicKey, error) {
+	return t.kid, t.key.Public(), nil
+}
+
+func testServerAndClient(t *testing.T, handler http.Handler) (*httptest.Server, *HTTPClient) {
+	tlsServer := http2.TestTLSServer(t, handler)
+	return tlsServer, &HTTPClient{
+		httpClient:  tlsServer.Client(),
+		keyResolver: newTestKeyResolver(),
+	}
+}

auth/client/iam/openid4vp.go

@@ -62,8 +62,9 @@ func NewClient(wallet holder.Wallet, keyResolver resolver.KeyResolver, subjectMa
 	ldDocumentLoader ld.DocumentLoader, strictMode bool, httpClientTimeout time.Duration) *OpenID4VPClient {
 	return &OpenID4VPClient{
 		httpClient: HTTPClient{
-			strictMode: strictMode,
-			httpClient: client.NewWithCache(httpClientTimeout),
+			strictMode:  strictMode,
+			httpClient:  client.NewWithCache(httpClientTimeout),
+			keyResolver: keyResolver,
 		},
 		keyResolver:      keyResolver,
 		jwtSigner:        jwtSigner,