feat: encrypted credential response

cmd/vc-rest/go.mod

@@ -11,6 +11,7 @@ require (
  github.com/cenkalti/backoff/v4 v4.2.0
  github.com/deepmap/oapi-codegen v1.11.0
  github.com/dgraph-io/ristretto v0.1.1
+ github.com/go-jose/go-jose/v3 v3.0.1-0.20221117193127-916db76e8214
  github.com/google/uuid v1.3.0
  github.com/labstack/echo/v4 v4.10.2
  github.com/ory/dockertest/v3 v3.9.1
@@ -97,7 +98,6 @@ require (
  github.com/fsnotify/fsnotify v1.6.0 // indirect
  github.com/getkin/kin-openapi v0.94.0 // indirect
  github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
- github.com/go-jose/go-jose/v3 v3.0.1-0.20221117193127-916db76e8214 // indirect
  github.com/go-logr/logr v1.2.3 // indirect
  github.com/go-logr/stdr v1.2.2 // indirect
  github.com/go-openapi/jsonpointer v0.19.5 // indirect

cmd/vc-rest/startcmd/start.go

@@ -27,24 +27,24 @@
  oapimw "github.com/deepmap/oapi-codegen/pkg/middleware"
  "github.com/deepmap/oapi-codegen/pkg/securityprovider"
  "github.com/dgraph-io/ristretto"
- "github.com/trustbloc/did-go/doc/ld/documentloader"
- "github.com/trustbloc/vc-go/proof/defaults"
- "github.com/trustbloc/vc-go/vermethod"
- "go.mongodb.org/mongo-driver/mongo"
- "golang.org/x/net/http2"
- "golang.org/x/net/http2/h2c"
-
+ "github.com/go-jose/go-jose/v3"
  "github.com/labstack/echo/v4"
  echomw "github.com/labstack/echo/v4/middleware"
  jsonld "github.com/piprate/json-gold/ld"
  echopprof "github.com/sevenNt/echo-pprof"
  "github.com/spf13/cobra"
  "github.com/trustbloc/did-go/doc/ld/context/remote"
+ "github.com/trustbloc/did-go/doc/ld/documentloader"
  "github.com/trustbloc/logutil-go/pkg/log"
+ "github.com/trustbloc/vc-go/proof/defaults"
+ "github.com/trustbloc/vc-go/vermethod"
+ "go.mongodb.org/mongo-driver/mongo"
  "go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws"
  "go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho"
  "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
  "go.opentelemetry.io/otel"
+ "golang.org/x/net/http2"
+ "golang.org/x/net/http2/h2c"
 
  "github.com/trustbloc/vcs/api/spec"
  "github.com/trustbloc/vcs/component/credentialstatus"
@@ -702,6 +702,7 @@
  AckStore: ackStore,
  ProfileSvc: issuerProfileSvc,
  })
+
  oidc4ciService, err = oidc4ci.NewService(&oidc4ci.Config{
  TransactionStore: oidc4ciTransactionStore,
  ClaimDataStore: oidc4ciClaimDataStore,
@@ -811,6 +812,17 @@
  TransactionStore: oidc4ciTransactionStore,
  })
 
+ jweEncrypterCreator := func(jwk jose.JSONWebKey, alg jose.KeyAlgorithm, enc jose.ContentEncryption) (jose.Encrypter, error) { //nolint:lll
+ return jose.NewEncrypter(
+ enc,
+ jose.Recipient{
+ Algorithm: alg,
+ Key: jwk,
+ },
+ nil,
+ )
+ }
+
  oidc4civ1.RegisterHandlers(e, oidc4civ1.NewController(&oidc4civ1.Config{
  OAuth2Provider: oauthProvider,
  StateStore: oidc4ciStateStore,
@@ -824,6 +836,7 @@
  ClientIDSchemeService: clientIDSchemeSvc,
  Tracer: conf.Tracer,
  AckService: ackService,
+ JWEEncrypterCreator: jweEncrypterCreator,
  }))
 
  oidc4vpv1.RegisterHandlers(e, oidc4vpv1.NewController(&oidc4vpv1.Config{

pkg/profile/api.go

@@ -167,6 +167,9 @@ type OIDCConfig struct {
  WalletInitiatedAuthFlowSupported bool `json:"wallet_initiated_auth_flow_supported"`
  SignedCredentialOfferSupported bool `json:"signed_credential_offer_supported"`
  SignedIssuerMetadataSupported bool `json:"signed_issuer_metadata_supported"`
+ CredentialResponseAlgValuesSupported []string `json:"credential_response_alg_values_supported"`
+ CredentialResponseEncValuesSupported []string `json:"credential_response_enc_values_supported"`
+ CredentialResponseEncryptionRequired bool `json:"credential_response_encryption_required"`
  ClaimsEndpoint string `json:"claims_endpoint"`
 }
 

pkg/restapi/v1/issuer/controller.go

@@ -755,6 +755,10 @@
  return resterr.NewCustomError(resterr.ClaimsValidationErr, err)
  }
 
+ if err = validateCredentialResponseEncryption(profile, body.RequestedCredentialResponseEncryption); err != nil {
+ return err
+ }
+
  signedCredential, err := c.signCredential(
  ctx, result.Credential, profile, issuecredential.WithTransactionID(body.TxId))
  if err != nil {
@@ -906,6 +910,44 @@
  return nil, fmt.Errorf("invalid type for credential subject: %T", subject)
 }
 
+func validateCredentialResponseEncryption(
+ profile *profileapi.Issuer,
+ requested *RequestedCredentialResponseEncryption,
+) error {
+ if profile.OIDCConfig == nil {
+ return nil
+ }
+
+ if profile.OIDCConfig.CredentialResponseEncryptionRequired && requested == nil {
+ return resterr.NewValidationError(resterr.InvalidValue, "credential_response_encryption",
+ errors.New("credential response encryption is required"))
+ }
+
+ alg := ""
+ if requested != nil {
+ alg = requested.Alg
+ }
+
+ if len(profile.OIDCConfig.CredentialResponseAlgValuesSupported) > 0 &&
+ !lo.Contains(profile.OIDCConfig.CredentialResponseAlgValuesSupported, alg) {
+ return resterr.NewValidationError(resterr.InvalidValue, "credential_response_encryption.alg",
+ fmt.Errorf("alg %s not supported", requested.Alg))
+ }
+
+ enc := ""
+ if requested != nil {
+ enc = requested.Enc
+ }
+
+ if len(profile.OIDCConfig.CredentialResponseEncValuesSupported) > 0 &&
+ !lo.Contains(profile.OIDCConfig.CredentialResponseEncValuesSupported, enc) {
+ return resterr.NewValidationError(resterr.InvalidValue, "credential_response_encryption.enc",
+ fmt.Errorf("enc %s not supported", requested.Enc))
+ }
+
+ return nil
+}
+
 // OpenidCredentialIssuerConfig request VCS IDP OIDC Configuration.
 // GET /issuer/{profileID}/{profileVersion}/.well-known/openid-credential-issuer.
 func (c *Controller) OpenidCredentialIssuerConfig(ctx echo.Context, profileID, profileVersion string) error {