From 68c05256acc8a86ecf81b38ef821569775f5b8b1 Mon Sep 17 00:00:00 2001 From: Bibash Shrestha Date: Fri, 5 Apr 2024 18:00:31 +0545 Subject: [PATCH] feat: Check sd-jwt VC x5c in credential details #2569 --- .../helper_functions/helper_functions.dart | 23 ++++--------------- .../cubit/credential_details_cubit.dart | 19 ++++++++++++++- .../cubit/qr_code_scan_cubit.dart | 17 +++++++++++--- 3 files changed, 36 insertions(+), 23 deletions(-) diff --git a/lib/app/shared/helper_functions/helper_functions.dart b/lib/app/shared/helper_functions/helper_functions.dart index dabd8d033..e9de82585 100644 --- a/lib/app/shared/helper_functions/helper_functions.dart +++ b/lib/app/shared/helper_functions/helper_functions.dart @@ -1800,9 +1800,8 @@ List collectSdValues(Map data) { Future?> checkX509({ required String encodedData, - required String clientId, - required JWTDecode jwtDecode, required Map header, + required String clientId, }) async { final x5c = header['x5c']; @@ -1882,25 +1881,11 @@ Future?> checkX509({ Future?> checkVerifierAttestation({ required String clientId, - required JWTDecode jwtDecode, + required Map payload, required Map header, }) async { - final jwt = header['jwt']; - - if (jwt == null) { - throw ResponseMessage( - data: { - 'error': 'invalid_format', - 'error_description': 'verifier_attestation scheme error', - }, - ); - } - - final Map verifierAttestationPayload = - decodePayload(jwtDecode: jwtDecode, token: jwt.toString()); - - final sub = verifierAttestationPayload['sub']; - final cnf = verifierAttestationPayload['cnf']; + final sub = payload['sub']; + final cnf = payload['cnf']; if (sub == null || sub != clientId || diff --git a/lib/dashboard/home/tab_bar/credentials/detail/cubit/credential_details_cubit.dart b/lib/dashboard/home/tab_bar/credentials/detail/cubit/credential_details_cubit.dart index 1552e8b4f..4ab595aae 100644 --- a/lib/dashboard/home/tab_bar/credentials/detail/cubit/credential_details_cubit.dart +++ b/lib/dashboard/home/tab_bar/credentials/detail/cubit/credential_details_cubit.dart @@ -178,10 +178,27 @@ class CredentialDetailsCubit extends Cubit { } if (item.jwt != null) { + final jwt = item.jwt!; + final Map payload = jwtDecode.parseJwt(jwt); + final Map header = + decodeHeader(jwtDecode: jwtDecode, token: jwt); + + Map? publicKeyJwk; + + final x5c = header['x5c']; + if (x5c != null && x5c is List) { + publicKeyJwk = await checkX509( + encodedData: jwt, + header: header, + clientId: payload['iss'].toString(), + ); + } + final VerificationType isVerified = await verifyEncodedData( issuer: item.issuer, jwtDecode: jwtDecode, - jwt: item.jwt!, + jwt: jwt, + publicKeyJwk: publicKeyJwk, ); if (isVerified == VerificationType.verified) { diff --git a/lib/dashboard/qr_code/qr_code_scan/cubit/qr_code_scan_cubit.dart b/lib/dashboard/qr_code/qr_code_scan/cubit/qr_code_scan_cubit.dart index a30bfe7dc..a14a4560c 100644 --- a/lib/dashboard/qr_code/qr_code_scan/cubit/qr_code_scan_cubit.dart +++ b/lib/dashboard/qr_code/qr_code_scan/cubit/qr_code_scan_cubit.dart @@ -1061,7 +1061,7 @@ class QRCodeScanCubit extends Cubit { if (isSecurityEnabled) { final Map payload = - decodePayload(jwtDecode: jwtDecode, token: encodedData as String); + jwtDecode.parseJwt(encodedData as String); final String clientId = payload['client_id'].toString(); @@ -1091,17 +1091,28 @@ class QRCodeScanCubit extends Cubit { if (clientIdScheme != null) { final Map header = decodeHeader(jwtDecode: jwtDecode, token: encodedData); + if (clientIdScheme == 'x509_san_dns') { publicKeyJwk = await checkX509( clientId: clientId, encodedData: encodedData, - jwtDecode: jwtDecode, header: header, ); } else if (clientIdScheme == 'verifier_attestation') { + final jwt = header['jwt']; + + if (jwt == null) { + throw ResponseMessage( + data: { + 'error': 'invalid_format', + 'error_description': 'verifier_attestation scheme error', + }, + ); + } + publicKeyJwk = await checkVerifierAttestation( clientId: clientId, - jwtDecode: jwtDecode, + payload: payload, header: header, ); }