ISO: Keep fallback verification of presentation documents in place

a-sit-plus · Jan 15, 2025 · 693c357 · 693c357
1 parent 60ba49d
commit 693c357
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 3 deletions.
diff --git a/vck/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/Validator.kt b/vck/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/Validator.kt
@@ -337,6 +337,29 @@ class Validator(
         return IsoDocumentParsed(mso = mso, validItems = validItems, invalidItems = invalidItems)
     }
 
+    @Deprecated("This is just here to keep functionality implemented before, to be deleted after 5.3.0")
+    fun verifyDocumentFallback(mso: MobileSecurityObject, doc: Document, challenge: String): Boolean {
+        val walletKey = mso.deviceKeyInfo.deviceKey
+        val deviceSignature = doc.deviceSigned.deviceAuth.deviceSignature ?: run {
+            Napier.w("DeviceSignature is null: ${doc.deviceSigned.deviceAuth}")
+            throw IllegalArgumentException("deviceSignature")
+        }
+
+        verifierCoseService.verifyCose(deviceSignature, walletKey).onFailure {
+            Napier.w("DeviceSignature not verified: ${doc.deviceSigned.deviceAuth}", it)
+            throw IllegalArgumentException("deviceSignature")
+        }
+        val deviceSignaturePayload = deviceSignature.payload ?: run {
+            Napier.w("DeviceSignature does not contain challenge")
+            throw IllegalArgumentException("challenge")
+        }
+        if (!deviceSignaturePayload.contentEquals(challenge.encodeToByteArray())) {
+            Napier.w("DeviceSignature does not contain correct challenge")
+            throw IllegalArgumentException("challenge")
+        }
+        return true
+    }
+
     /**
      * Verify that calculated digests equal the corresponding digest values in the MSO.
      *

diff --git a/vck/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/VerifierAgent.kt b/vck/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/VerifierAgent.kt
@@ -30,7 +30,7 @@ class VerifierAgent(
      * that shall include the [challenge] (sent by this verifier),
      * as well as the expected [identifier] (identifying this verifier).
      */
-    @Deprecated("Use specific methods instead")
+    @Deprecated("Use specific methods instead, to be deleted after 5.3.0")
     override suspend fun verifyPresentation(it: String, challenge: String): VerifyPresentationResult {
         val input = it
         val sdJwtSigned = runCatching { SdJwtSigned.parse(input) }.getOrNull()
@@ -54,7 +54,9 @@ class VerifierAgent(
             ?.let { bytes -> Document.deserialize(bytes).getOrNull() }
         if (document != null) {
             val verifiedDocument = runCatching {
-                validator.verifyDocument(document, { _, _ -> true })
+                validator.verifyDocument(document) { mso, document ->
+                    validator.verifyDocumentFallback(mso, document, challenge)
+                }
             }.getOrElse {
                 return VerifyPresentationResult.ValidationError(it)
             }
@@ -64,7 +66,9 @@ class VerifierAgent(
             ?.let { bytes -> DeviceResponse.deserialize(bytes).getOrNull() }
         if (deviceResponse != null) {
             val result = runCatching {
-                validator.verifyDeviceResponse(deviceResponse, { _, _ -> true })
+                validator.verifyDeviceResponse(deviceResponse) { mso, document ->
+                    validator.verifyDocumentFallback(mso, document, challenge)
+                }
             }.getOrElse {
                 return VerifyPresentationResult.ValidationError(it)
             }