feat: Holder side api for getting more context information

Signed-off-by: Tom Lanser <[email protected]>

packages/openid4vc/package.json

@@ -33,7 +33,7 @@
     "@sphereon/oid4vci-common": "0.16.1-fix.173",
     "@sphereon/oid4vci-issuer": "0.16.1-fix.173",
     "@sphereon/ssi-types": "0.30.2-next.135",
-    "@openid-federation/core": "0.1.1-alpha.12",
+    "@openid-federation/core": "0.1.1-alpha.13",
     "class-transformer": "^0.5.1",
     "rxjs": "^7.8.0"
   },

packages/openid4vc/src/openid4vc-holder/OpenId4VcHolderApi.ts

@@ -11,6 +11,7 @@ import type {
 import type {
   OpenId4VcSiopAcceptAuthorizationRequestOptions,
   OpenId4VcSiopResolveAuthorizationRequestOptions,
+  OpenId4VcSiopResolveTrustChainsOptions,
 } from './OpenId4vcSiopHolderServiceOptions'
 
 import { injectable, AgentContext } from '@credo-ts/core'
@@ -187,4 +188,8 @@ export class OpenId4VcHolderApi {
   public async sendNotification(options: OpenId4VciSendNotificationOptions) {
     return this.openId4VciHolderService.sendNotification(options)
   }
+
+  public async resolveOpenIdFederationChains(options: OpenId4VcSiopResolveTrustChainsOptions) {
+    return this.openId4VcSiopHolderService.resolveOpenIdFederationChains(this.agentContext, options)
+  }
 }

packages/openid4vc/src/openid4vc-holder/OpenId4VciHolderService.ts

@@ -871,6 +871,4 @@ export class OpenId4VciHolderService {
       return jws
     }
   }
-
-  // TODO: Add a function for resolving the entity statement. Which will be used in the holder to verify the entity statement and to show to the user
 }

packages/openid4vc/src/openid4vc-holder/OpenId4vcSiopHolderService.ts

@@ -3,6 +3,7 @@ import type {
   OpenId4VcSiopGetOpenIdProviderOptions,
   OpenId4VcSiopResolveAuthorizationRequestOptions,
   OpenId4VcSiopResolvedAuthorizationRequest,
+  OpenId4VcSiopResolveTrustChainsOptions,
 } from './OpenId4vcSiopHolderServiceOptions'
 import type { OpenId4VcJwtIssuer, OpenId4VcJwtIssuerFederation } from '../shared'
 import type { AgentContext, JwkJson, VerifiablePresentation } from '@credo-ts/core'
@@ -30,7 +31,10 @@ import {
   MdocDeviceResponse,
   JwsService,
 } from '@credo-ts/core'
-import { fetchEntityConfiguration } from '@openid-federation/core'
+import {
+  resolveTrustChains as federationResolveTrustChains,
+  fetchEntityConfiguration as federationFetchEntityConfiguration,
+} from '@openid-federation/core'
 import { OP, ResponseIss, ResponseMode, ResponseType, SupportedVersion, VPTokenLocation } from '@sphereon/did-auth-siop'
 
 import { getSphereonVerifiablePresentation } from '../shared/transform'
@@ -74,7 +78,7 @@ export class OpenId4VcSiopHolderService {
 
       const jwsService = agentContext.dependencyManager.resolve(JwsService)
 
-      const entityConfiguration = await fetchEntityConfiguration({
+      const entityConfiguration = await federationFetchEntityConfiguration({
         entityId: clientId,
         verifyJwtCallback: async ({ jwt, jwk }) => {
           const res = await jwsService.verifyJws(agentContext, {
@@ -434,4 +438,26 @@ export class OpenId4VcSiopHolderService {
 
     return jwe
   }
+
+  public async resolveOpenIdFederationChains(
+    agentContext: AgentContext,
+    options: OpenId4VcSiopResolveTrustChainsOptions
+  ) {
+    const jwsService = agentContext.dependencyManager.resolve(JwsService)
+
+    const { entityId, trustAnchorEntityIds } = options
+
+    return federationResolveTrustChains({
+      entityId,
+      trustAnchorEntityIds,
+      verifyJwtCallback: async ({ jwt, jwk }) => {
+        const res = await jwsService.verifyJws(agentContext, {
+          jws: jwt,
+          jwkResolver: () => getJwkFromJson(jwk),
+        })
+
+        return res.isValid
+      },
+    })
+  }
 }

packages/openid4vc/src/openid4vc-holder/OpenId4vcSiopHolderServiceOptions.ts

@@ -77,3 +77,8 @@ export interface OpenId4VcSiopGetOpenIdProviderOptions {
     trustedEntityIds?: string[]
   }
 }
+
+export interface OpenId4VcSiopResolveTrustChainsOptions {
+  entityId: string
+  trustAnchorEntityIds: [string, ...string[]]
+}

packages/openid4vc/src/shared/utils.ts

@@ -105,9 +105,9 @@ export function getVerifyJwtCallback(
       }
 
       // Pick the first valid trust chain for validation of the leaf entity jwks
-      const { entityConfiguration } = validTrustChains[0]
+      const { leafEntityConfiguration } = validTrustChains[0]
       // TODO: No support yet for signed jwks and external jwks
-      const rpSigningKeys = entityConfiguration?.metadata?.openid_relying_party?.jwks?.keys
+      const rpSigningKeys = leafEntityConfiguration?.metadata?.openid_relying_party?.jwks?.keys
       if (!rpSigningKeys || rpSigningKeys.length === 0)
         throw new CredoError('No rp signing keys found in the entity configuration.')