Conversation
md4096
force-pushed
the
feature/wia-wua
branch
from
190b492 to
829a0bb
Compare
openid-data-classes/src/commonMain/kotlin/at/asitplus/openid/KeyAttestationRequired.kt
Outdated
Show resolved
Hide resolved
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/WalletService.kt
Outdated
Show resolved
Hide resolved
md4096
force-pushed
the
feature/wia-wua
branch
from
87158d8 to
8c5dd46
Compare
md4096
force-pushed
the
feature/wia-wua
branch
from
8c5dd46 to
f87d2cc
Compare
openid-data-classes/src/commonMain/kotlin/at/asitplus/openid/KeyAttestationRequired.kt
Show resolved
Hide resolved
vck-openid-ktor/src/commonMain/kotlin/at/asitplus/wallet/lib/ktor/openid/OAuth2KtorClient.kt
Show resolved
Hide resolved
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/WalletService.kt
Outdated
Show resolved
Hide resolved
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/WalletService.kt
Outdated
Show resolved
Hide resolved
md4096
force-pushed
the
feature/wia-wua
branch
2 times, most recently
from
c4550f7 to
8130d1d
Compare
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oauth2/SimpleAuthorizationService.kt
Outdated
Show resolved
Hide resolved
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/CredentialIssuer.kt
Outdated
Show resolved
Hide resolved
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/ProofValidator.kt
Outdated
Show resolved
Hide resolved
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/WalletService.kt
Outdated
Show resolved
Hide resolved
md4096
force-pushed
the
feature/wia-wua
branch
from
156f8f7 to
ce57bdf
Compare
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c4d86a20b1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/WalletService.kt
Outdated
Show resolved
Hide resolved
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oauth2/SimpleAuthorizationService.kt
Outdated
Show resolved
Hide resolved
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/ProofValidator.kt
Outdated
Show resolved
Hide resolved
md4096
force-pushed
the
feature/wia-wua
branch
from
c4d86a2 to
ed51cba
Compare
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
md4096
force-pushed
the
feature/wia-wua
branch
2 times, most recently
from
5657425 to
e46e847
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e46e847869
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
vck-openid-ktor/src/commonMain/kotlin/at/asitplus/wallet/lib/ktor/openid/OAuth2KtorClient.kt
Outdated
Show resolved
Hide resolved
vck-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/WalletService.kt
Outdated
Show resolved
Hide resolved
md4096
force-pushed
the
feature/wia-wua
branch
2 times, most recently
from
38b704f to
49bf8e8
Compare
md4096
force-pushed
the
feature/wia-wua
branch
from
49bf8e8 to
0f5965a
Compare
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0f5965ae9f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| val clientAttJwt = loadInstanceAttestation?.let { it().getOrNull()?.serialize() } | ||
| val clientAttPop = loadInstanceAttestationPop?.let { it().getOrNull()?.serialize() } |
There was a problem hiding this comment.
This code now always reads instance attestation headers from loadInstanceAttestation*, but the constructor still accepts loadClientAttestationJwt/signClientAttestationPop (marked deprecated, not removed). Callers that have not migrated yet will compile and instantiate this class, but token requests will silently omit attestation headers and fail with invalid_client against servers requiring attestation-based client auth.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Would be fine to use the fallback:
val clientAttJwt = loadInstanceAttestation?.let { it().getOrNull()?.serialize() }
?: loadClientAttestationJwt?.invoke()
| if (addKeyAttestation && loadUnitAttestation == null && loadKeyAttestation == null) { | ||
| throw IllegalArgumentException("Key attestation required, none provided") | ||
| } | ||
| return CredentialRequestProofContainer( | ||
| jwt = setOf(loadUnitAttestation?.invoke( |
There was a problem hiding this comment.
When addKeyAttestation is true, the guard explicitly treats loadKeyAttestation as a valid source, but the JWT proof creation path never uses it and only calls loadUnitAttestation. If a wallet still provides only loadKeyAttestation (which is not deprecated here), this branch will pass the precondition and then emit a fallback proof without key attestation, causing issuer-side proof rejection.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Also sounds fine to add a fallback to loadKeyAttestation when loadUnitAttestation is null.
| nonce = clientNonce, | ||
| ) | ||
| ) | ||
| )?.getOrNull()?.serialize() ?: fallbackProof(clientNonce, credentialIssuer)) |
There was a problem hiding this comment.
Using getOrNull() here hides failures from loadUnitAttestation and silently falls back to fallbackProof. In key-attestation-required flows this converts a concrete attestation acquisition error into a generic downstream invalid_proof/issuance failure, making recovery and debugging much harder and sending a request that is known to violate issuer requirements.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Seems about right, because addKeyAttestation might be true but the call returns an error ... right @md4096?
| when (tokenStatusValid && signatureValid) { | ||
| true -> return@ProofValidator true | ||
| false -> return@ProofValidator false |
There was a problem hiding this comment.
It looks like this could be simplified to tokenStatusValid && signatureValid
| /** Handles credential request encryption and credential response decryption. */ | ||
| private val encryptionService: WalletEncryptionService = WalletEncryptionService(), | ||
| /** Returns a new unit attestation to use during credential issuance. */ | ||
| val loadUnitAttestation: (suspend (input: LoadUnitAttestationInput) -> KmmResult<JwsSigned<JsonWebToken>>)? = null, |
CHANGELOG.md
Outdated
| - ISO mdoc: | ||
| - Preserve `Document.errors` in parsed ISO document results instead of failing validation | ||
| - Change: Executing unsatisfiable DCQL queries no longer throws on matching, only on submission. | ||
| - Add method `loadUnitAttestation` to `WalletService` |
There was a problem hiding this comment.
Please group your entries under OpenID for Verifiable Credential Issuance:
| } | ||
| } | ||
| }.isSuccess | ||
| val signatureValid = true //TODO: Add list with trusted keys |
There was a problem hiding this comment.
Even now we should at least verify the cryptographic signature of the JWS, and simply trust all keys.
| /** Returns a new unit attestation to use during credential issuance. */ | ||
| val loadUnitAttestation: (suspend (input: LoadUnitAttestationInput) -> KmmResult<JwsSigned<JsonWebToken>>)? = null, | ||
|
|
||
| private val keyMaterial: KeyMaterial = EphemeralKeyWithoutCert(), |
There was a problem hiding this comment.
Please move that up the parameter list, to its original position
| issuer = clientId, // omit when token was pre-authn? | ||
| audience = credentialIssuer, | ||
| issuedAt = clock.now().truncateToSeconds(), | ||
| issuedAt = Clock.System.now().truncateToSeconds(), |
There was a problem hiding this comment.
should add a clock parameter to that function
| } | ||
| return CredentialRequestProofContainer( | ||
| jwt = setOf(loadUnitAttestation?.invoke( | ||
| LoadUnitAttestationInput( |
There was a problem hiding this comment.
Seems like duplicated code from createCredentialRequestProofAttestation()
2 participants
Related:
a-sit-plus/signum#400
a-sit-plus/valera#419