Do VCI adjustments

Author: cicnavi

src/Controllers/JwksController.php

@@ -39,6 +39,8 @@ public function __invoke(): JsonResponse
         return new JsonResponse(
             $this->jwks->jwksDecoratorFactory()->fromJwkDecorators(
                 ...$this->moduleConfig->getProtocolSignatureKeyPairBag()->getAllPublicKeys(),
+                ...$this->moduleConfig->getFederationSignatureKeyPairBag()->getAllPublicKeys(),
+                ...$this->moduleConfig->getVciSignatureKeyPairBag()->getAllPublicKeys(),
             )->jsonSerialize(),
         );
     }

src/Controllers/VerifiableCredentials/CredentialIssuerConfigurationController.php

@@ -40,7 +40,6 @@ public function configuration(): Response
     {
         // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-issuer-metadata-p
 
-        // TODO mivanci Add support for multiple signature key pairs. For now, we only support (first) one.
         $signatureKeyPair = $this->moduleConfig->getVciSignatureKeyPairBag()->getFirstOrFail();
 
         $credentialConfigurationsSupported = $this->moduleConfig->getVciCredentialConfigurationsSupported();
@@ -53,10 +52,16 @@ public function configuration(): Response
                 $credentialConfiguration[ClaimsEnum::CredentialSigningAlgValuesSupported->value] = [
                     $signatureKeyPair->getSignatureAlgorithm()->value,
                 ];
-                // Earlier drafts
-                // TODO mivanci Delete CryptographicSuitesSupported once we are on the final draft.
-                $credentialConfiguration[ClaimsEnum::CryptographicSuitesSupported->value] = [
-                    $signatureKeyPair->getSignatureAlgorithm()->value,
+                $credentialConfiguration[ClaimsEnum::CryptographicBindingMethodsSupported->value] = [
+                    'jwk',
+                ];
+                $credentialConfiguration[ClaimsEnum::ProofTypesSupported->value] = [
+                    'jwt' => [
+                        ClaimsEnum::ProofSigningAlgValuesSupported->value => $this->moduleConfig
+                            ->getSupportedAlgorithms()
+                            ->getSignatureAlgorithmBag()
+                            ->getAllNamesUnique(),
+                    ],
                 ];
                 $credentialConfigurationsSupported[$credentialConfigurationId] = $credentialConfiguration;
             }
@@ -94,8 +99,11 @@ public function configuration(): Response
                 [
                     ClaimsEnum::Name->value => $this->moduleConfig->getOrganizationName(),
                     ClaimsEnum::Locale->value => 'en-US',
-                    // OPTIONAL
-                    // logo
+                    ClaimsEnum::Description->value => $this->moduleConfig->getDescription() ?? 'SimpleSAMLphp Demo VCI',
+                    ClaimsEnum::LogoUri->value => [
+                        ClaimsEnum::Uri->value => $this->moduleConfig->getLogoUri(),
+                        ClaimsEnum::AltText->value => ($this->moduleConfig->getOrganizationName() ?? 'VCI') . ' logo',
+                    ],
                 ],
 
             ],

src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php

@@ -133,7 +133,7 @@ public function credential(Request $request): Response
                 ['accessTokenState' => $accessToken->getState()],
             );
             return $this->routes->newJsonErrorResponse(
-                'invalid_token',
+                'invalid_credential_request',
                 'Issuer state missing in access token.',
                 401,
             );
@@ -145,8 +145,9 @@ public function credential(Request $request): Response
                 ['issuerState' => $issuerState],
             );
             return $this->routes->newJsonErrorResponse(
-                'invalid_token',
+                'invalid_credential_request',
                 'Issuer state not valid.',
+                401,
             );
         }
 
@@ -163,6 +164,7 @@ public function credential(Request $request): Response
             return $this->routes->newJsonErrorResponse(
                 'invalid_credential_request',
                 'Credential configuration ID must not be used together with credential identifier.',
+                400,
             );
         }
 
@@ -182,6 +184,7 @@ public function credential(Request $request): Response
                 return $this->routes->newJsonErrorResponse(
                     'invalid_credential_request',
                     'Can not resolve credential identifier.',
+                    400,
                 );
             }
 
@@ -224,6 +227,7 @@ public function credential(Request $request): Response
                 return $this->routes->newJsonErrorResponse(
                     'invalid_credential_request',
                     'Credential identifier not used in flow.',
+                    400,
                 );
             }
 
@@ -282,6 +286,7 @@ public function credential(Request $request): Response
                 return $this->routes->newJsonErrorResponse(
                     'invalid_credential_request',
                     'Can not resolve credential format.',
+                    400,
                 );
             }
 
@@ -299,6 +304,7 @@ public function credential(Request $request): Response
                 return $this->routes->newJsonErrorResponse(
                     'unsupported_credential_type',
                     sprintf('Credential format ID "%s" is not supported.', $requestedCredentialFormatId),
+                    400,
                 );
             }
 
@@ -359,6 +365,7 @@ public function credential(Request $request): Response
             return $this->routes->newJsonErrorResponse(
                 'invalid_credential_request',
                 'Can not resolve credential configuration ID.',
+                400,
             );
         }
 
@@ -369,6 +376,7 @@ public function credential(Request $request): Response
             return $this->routes->newJsonErrorResponse(
                 'unsupported_credential_type',
                 sprintf('Credential ID "%s" is not supported.', $resolvedCredentialIdentifier),
+                400,
             );
         }
 
@@ -450,27 +458,26 @@ public function credential(Request $request): Response
 
                     $this->loggerService->debug('Proof verified successfully using did:key ' . $didKey);
 
-                // Verify nonce
+                    // Verify nonce
                     $nonce = $proof->getNonce();
-                    if ($nonce === null) {
-                        return $this->routes->newJsonErrorResponse(
-                            'invalid_proof',
-                            'Proof MUST contain a c_nonce.',
-                        );
-                    }
-
-                    if (!$this->nonceService->validateNonce($nonce)) {
-                        return $this->routes->newJsonResponse(
-                            [
-                            'error' => 'invalid_nonce',
-                            'error_description' => 'c_nonce is invalid or expired.',
-                            'c_nonce' => $this->nonceService->generateNonce(),
-                            ],
-                            400,
-                        );
+                    if (is_string($nonce) && $nonce !== '') {
+                        $this->loggerService->debug('Proof nonce: ' . $nonce);
+
+                        if (!$this->nonceService->validateNonce($nonce)) {
+                            $this->loggerService->warning('Proof nonce is invalid or expired. Nonce was: ' . $nonce);
+                            return $this->routes->newJsonErrorResponse(
+                                error: 'invalid_nonce',
+                                description: 'c_nonce is invalid or expired.',
+                                httpCode: 400,
+                            );
+                        }
+
+                        $this->loggerService->debug('Proof nonce validated successfully.');
+                    } else {
+                        $this->loggerService->warning('Nonce not present in proof, skipping nonce validation.');
                     }
 
-                // Set it as a subject identifier (bind it).
+                    // Set it as a subject identifier (bind it).
                     $sub = $didKey;
                 } else {
                     $this->loggerService->warning(
@@ -507,6 +514,7 @@ public function credential(Request $request): Response
                 return $this->routes->newJsonErrorResponse(
                     'invalid_proof',
                     $message,
+                    400,
                 );
             }
         }

src/Controllers/VerifiableCredentials/NonceController.php

@@ -4,6 +4,8 @@
 
 namespace SimpleSAML\Module\oidc\Controllers\VerifiableCredentials;
 
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Services\NonceService;
 use SimpleSAML\Module\oidc\Utils\Routes;
@@ -15,7 +17,12 @@ public function __construct(
         protected readonly NonceService $nonceService,
         protected readonly Routes $routes,
         protected readonly LoggerService $loggerService,
+        protected readonly ModuleConfig $moduleConfig,
     ) {
+        if (!$this->moduleConfig->getVciEnabled()) {
+            $this->loggerService->warning('Verifiable Credential capabilities not enabled.');
+            throw OidcServerException::forbidden('Verifiable Credential capabilities not enabled.');
+        }
     }
 
     /**
@@ -30,7 +37,10 @@ public function nonce(): Response
         return $this->routes->newJsonResponse(
             ['c_nonce' => $nonce],
             200,
-            ['Cache-Control' => 'no-store'],
+            [
+                'Cache-Control' => 'no-store',
+                'Access-Control-Allow-Origin' => '*',
+            ],
         );
     }
 }

src/Services/NonceService.php

@@ -63,13 +63,14 @@ public function validateNonce(string $nonce): bool
                 return false;
             }
 
-            // Verify expiration
+            // Verify expiration. This is also done in the JWS factory class.
             $currentTimestamp = $this->jws->helpers()->dateTime()->getUtc()->getTimestamp();
             if ($parsedJws->getExpirationTime() < $currentTimestamp) {
                 $this->loggerService->warning('Nonce validation failed: expired.');
                 return false;
             }
 
+            $this->loggerService->debug('Nonce validation succeeded.');
             return true;
         } catch (\Exception $e) {
             $this->loggerService->warning('Nonce validation failed: ' . $e->getMessage());

tests/unit/src/Controllers/VerifiableCredentials/NonceControllerTest.php

@@ -8,6 +8,7 @@
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\NonceController;
+use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Services\NonceService;
 use SimpleSAML\Module\oidc\Utils\Routes;
@@ -19,12 +20,14 @@ class NonceControllerTest extends TestCase
     protected MockObject $nonceServiceMock;
     protected MockObject $routesMock;
     protected MockObject $loggerServiceMock;
+    protected MockObject $moduleConfigMock;
 
     public function setUp(): void
     {
         $this->nonceServiceMock = $this->createMock(NonceService::class);
         $this->routesMock = $this->createMock(Routes::class);
         $this->loggerServiceMock = $this->createMock(LoggerService::class);
+        $this->moduleConfigMock = $this->createMock(ModuleConfig::class);
     }
 
     /**
@@ -39,10 +42,23 @@ public function testNonce(): void
         $responseMock = $this->createMock(JsonResponse::class);
         $this->routesMock->expects($this->once())
             ->method('newJsonResponse')
-            ->with(['c_nonce' => 'mocked_nonce'], 200, ['Cache-Control' => 'no-store'])
+            ->with(
+                ['c_nonce' => 'mocked_nonce'],
+                200,
+                ['Cache-Control' => 'no-store', 'Access-Control-Allow-Origin' => '*'],
+            )
             ->willReturn($responseMock);
 
-        $sut = new NonceController($this->nonceServiceMock, $this->routesMock, $this->loggerServiceMock);
+        $this->moduleConfigMock->expects($this->once())
+            ->method('getVciEnabled')
+            ->willReturn(true);
+
+        $sut = new NonceController(
+            $this->nonceServiceMock,
+            $this->routesMock,
+            $this->loggerServiceMock,
+            $this->moduleConfigMock,
+        );
         $response = $sut->nonce();
 
         $this->assertSame($responseMock, $response);