Skip to content

SIOPV2 encryption #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
patatoid wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

SIOPV2 encryption #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a6964b9
encrypt presentation response
patatoid Feb 10, 2026
8a47282
fix missing jwt verify import
patatoid May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion dist/src/client-factories/siopv2.factory.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
import { importJWK, jwtVerify } from "jose";
import { decodeJwt, EncryptJWT, importJWK, jwtVerify } from "jose";
import { OauthError } from "../oauth-responses";
import { KeyStore } from '../key-store';
import { STATE_KEY, NONCE_KEY } from '../constants';
Expand Down Expand Up @@ -71,8 +71,15 @@ export function createSiopv2Client({ oauth, eventHandler, storage }) {
"client_encryption_key": publicKey,
"client_encryption_alg": "ECDH-ES"
};
const { authorization_server_encryption_key, direct_post_encryption_alg } = decodeJwt(request);
localStorage.setItem("authorizationServerEncryptionKey", JSON.stringify(authorization_server_encryption_key));
localStorage.setItem("directPostEncryptionAlg", JSON.stringify(direct_post_encryption_alg));
const id_token = yield this.keyStore.sign(payload, client_id);
const response = authorization_server_encryption_key && (yield new EncryptJWT({ id_token })
.setProtectedHeader({ alg: direct_post_encryption_alg, enc: "A256GCM" })
.encrypt(yield importJWK(authorization_server_encryption_key, direct_post_encryption_alg)));
return {
response,
id_token,
client_id,
redirect_uri,
Expand Down
91 changes: 72 additions & 19 deletions dist/src/client-factories/verifiable-credentials-issuance.factory.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
import { EncryptJWT, importJWK, jwtDecrypt } from "jose";
import { OauthError } from "../oauth-responses";
import { KeyStore } from '../key-store';
import { CredentialsStore } from '../credentials-store';
Expand Down Expand Up @@ -40,24 +41,51 @@ export function createVerifiableCredentialsIssuanceClient({ oauth, eventHandler,
}
getTokenParams(preauthorizedCode) {
return __awaiter(this, void 0, void 0, function* () {
return {
grant_type: this.grantType,
client_id: this.clientId,
client_secret: this.clientSecret,
redirect_uri: this.redirectUri,
'pre-authorized_code': preauthorizedCode,
scope: this.scope
};
const authorization_server_encryption_key = JSON.parse(localStorage.getItem("authorizationServerEncryptionKey") || "null");
const direct_post_encryption_alg = JSON.parse(localStorage.getItem("directPostEncryptionAlg") || "null");
if (authorization_server_encryption_key && direct_post_encryption_alg) {
const params = {
grant_type: this.grantType,
client_secret: this.clientSecret,
redirect_uri: this.redirectUri,
'pre-authorized_code': preauthorizedCode,
scope: this.scope
};
const encrypted_request = yield new EncryptJWT(params)
.setProtectedHeader({ alg: direct_post_encryption_alg, enc: "A256GCM" })
.encrypt(yield importJWK(authorization_server_encryption_key, direct_post_encryption_alg));
return {
client_id: this.clientId,
encrypted_request,
};
}
else {
return {
grant_type: this.grantType,
client_id: this.clientId,
client_secret: this.clientSecret,
redirect_uri: this.redirectUri,
'pre-authorized_code': preauthorizedCode,
scope: this.scope
};
}
});
}
getToken(preauthorizedCode) {
return __awaiter(this, void 0, void 0, function* () {
// TODO throw an error in case of misconfiguration (tokenPath)
const { oauth: { api, tokenPath = '' } } = this;
const body = yield this.getTokenParams(preauthorizedCode);
return api.post(tokenPath, body).then(({ data }) => {
return data;
}).catch(({ status, response }) => {
return api.post(tokenPath, body).then((_a) => __awaiter(this, [_a], void 0, function* ({ data }) {
if (data.encrypted_response) {
const { privateKey } = JSON.parse(localStorage.getItem("encryptionKeyPair") || "{}");
const { payload: response } = yield jwtDecrypt(data.encrypted_response, yield importJWK(privateKey, "ECDH-ES"));
return response;
}
else {
return data;
}
})).catch(({ status, response }) => {
throw new OauthError(Object.assign({ status }, response.data));
});
});
Expand All @@ -73,11 +101,29 @@ export function createVerifiableCredentialsIssuanceClient({ oauth, eventHandler,
proof_type: 'jwt',
jwt: proofJwt
};
return {
credential_identifier: credentialIdentifier,
format,
proof
};
const authorization_server_encryption_key = JSON.parse(localStorage.getItem("authorizationServerEncryptionKey") || "null");
const direct_post_encryption_alg = JSON.parse(localStorage.getItem("directPostEncryptionAlg") || "null");
if (authorization_server_encryption_key && direct_post_encryption_alg) {
const params = {
credential_identifier: credentialIdentifier,
format,
proof
};
const encrypted_request = yield new EncryptJWT(params)
.setProtectedHeader({ alg: direct_post_encryption_alg, enc: "A256GCM" })
.encrypt(yield importJWK(authorization_server_encryption_key, direct_post_encryption_alg));
return {
client_id: this.clientId,
encrypted_request,
};
}
else {
return {
credential_identifier: credentialIdentifier,
format,
proof
};
}
});
}
getCredential(_a, credentialIdentifier_1, format_1) {
Expand All @@ -88,9 +134,16 @@ export function createVerifiableCredentialsIssuanceClient({ oauth, eventHandler,
headers: {
'Authorization': `Bearer ${accessToken}`
}
}).then(({ data }) => {
return data;
}).catch(({ status, response }) => {
}).then((_a) => __awaiter(this, [_a], void 0, function* ({ data }) {
if (data.encrypted_response) {
const { privateKey } = JSON.parse(localStorage.getItem("encryptionKeyPair") || "{}");
const { payload: response } = yield jwtDecrypt(data.encrypted_response, yield importJWK(privateKey, "ECDH-ES"));
return response;
}
else {
return data;
}
})).catch(({ status, response }) => {
throw new OauthError(Object.assign({ status }, response.data));
}).then((response) => __awaiter(this, void 0, void 0, function* () {
yield this.credentialsStore.insertCredential(credentialIdentifier, response);
Expand Down
55 changes: 32 additions & 23 deletions dist/src/client-factories/verifiable-presentations.factory.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
import { decodeJwt } from "jose";
import { EncryptJWT, importJWK, jwtDecrypt } from "jose";
import { OauthError } from "../oauth-responses";
import { KeyStore } from '../key-store';
import { CredentialsStore } from '../credentials-store';
Expand Down Expand Up @@ -52,10 +52,13 @@ export function createVerifiablePresentationsClient({ oauth, eventHandler, stora
}
generatePresentation(_a, credentials_1) {
return __awaiter(this, arguments, void 0, function* ({ request, redirect_uri }, credentials) {
const url = new URL(redirect_uri);
const { presentation_definition } = yield parseVerifiablePresentationRequest(request);
const { presentation_definition, authorization_server_encryption_key, direct_post_encryption_alg } = yield parseVerifiablePresentationRequest(request);
const presentation = yield this.credentialsStore.presentation(presentation_definition, credentials);
return Object.assign({ redirect_uri }, presentation);
const response = authorization_server_encryption_key && (yield new EncryptJWT(presentation)
.setProtectedHeader({ alg: direct_post_encryption_alg, enc: "A256GCM" })
.encrypt(yield importJWK(authorization_server_encryption_key, direct_post_encryption_alg)));
return Object.assign({ response,
redirect_uri }, presentation);
});
}
state() {
Expand Down Expand Up @@ -162,24 +165,30 @@ function parseVerifiablePresentationsParams(params) {
});
}
function parseVerifiablePresentationRequest(request) {
let decodedRequest;
try {
decodedRequest = decodeJwt(request);
}
catch (error) {
return Promise.reject(new OauthError({
error: 'unkown_error',
error_description: error.toString()
}));
}
const presentation_definition = decodedRequest['presentation_definition'];
if (!presentation_definition) {
return Promise.reject(new OauthError({
error: 'unkown_error',
error_description: 'presentation_definition parameter is missing in VerifiablePresentations request.'
}));
}
return Promise.resolve({
presentation_definition
return __awaiter(this, void 0, void 0, function* () {
let decodedRequest;
const { privateKey } = JSON.parse(localStorage.getItem("encryptionKeyPair") || "{}");
try {
const { payload } = yield jwtDecrypt(request, yield importJWK(privateKey, "ECDH-ES"));
decodedRequest = payload;
}
catch (error) {
return Promise.reject(new OauthError({
error: 'unkown_error',
error_description: error.toString()
}));
}
const presentation_definition = decodedRequest['presentation_definition'];
if (!presentation_definition) {
return Promise.reject(new OauthError({
error: 'unkown_error',
error_description: 'presentation_definition parameter is missing in VerifiablePresentations request.'
}));
}
return Promise.resolve({
authorization_server_encryption_key: decodedRequest['authorization_server_encryption_key'],
direct_post_encryption_alg: decodedRequest['direct_post_encryption_alg'],
presentation_definition
});
});
}
7 changes: 7 additions & 0 deletions dist/src/credentials-store.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
};
import { decodeJwt } from 'jose';
import { decodeSdJwt } from '@sd-jwt/decode';
import { OauthError } from './oauth-responses';
import { CREDENTIALS_KEY } from './constants';
import { KeyStore } from './key-store';
export class CredentialsStore {
Expand Down Expand Up @@ -171,6 +172,12 @@ export class Credential {
}
static fromResponse(credentialId_1, _a) {
return __awaiter(this, arguments, void 0, function* (credentialId, { format, credential }) {
if (!format || !credential) {
throw new OauthError({
error: "invalid_credential",
error_description: 'Invalid credential response.'
});
}
if (format == 'vc+sd-jwt') {
return decodeSdJwt(credential, () => { return Promise.resolve(new Uint8Array()); }).then(formattedCredential => {
const params = {
Expand Down
25 changes: 24 additions & 1 deletion src/client-factories/siopv2.factory.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { importJWK, jwtVerify } from "jose"
import { decodeJwt, EncryptJWT, importJWK, jwtVerify, JWK } from "jose"
import { BorutaOauth } from "../boruta-oauth"
import { OauthError, Siopv2Success } from "../oauth-responses"
import { KeyStore } from '../key-store'
Expand Down Expand Up @@ -100,9 +100,32 @@ export function createSiopv2Client({ oauth, eventHandler, storage }: Siopv2Facto
"client_encryption_alg": "ECDH-ES"
}

const {
authorization_server_encryption_key,
direct_post_encryption_alg
} = decodeJwt<{
authorization_server_encryption_key: JWK
direct_post_encryption_alg: string
}>(request)

localStorage.setItem(
"authorizationServerEncryptionKey",
JSON.stringify(authorization_server_encryption_key)
)

localStorage.setItem(
"directPostEncryptionAlg",
JSON.stringify(direct_post_encryption_alg)
)

const id_token = await this.keyStore.sign(payload, client_id)

const response = authorization_server_encryption_key && await new EncryptJWT({ id_token })
.setProtectedHeader({ alg: direct_post_encryption_alg, enc: "A256GCM" })
.encrypt(await importJWK(authorization_server_encryption_key, direct_post_encryption_alg))

return {
response,
id_token,
client_id,
redirect_uri,
Expand Down
Loading
Loading