Update to latest DC API call structure (#7)

This PR accommodates changes made to DC API `.get()` options, including
an updated protocol identifier, and drops older call signatures
previously required when testing with Chrome.

Author: MasterKale

example/main.ts

@@ -1,7 +1,13 @@
 import { Hono } from "hono";
 import { serveStatic } from "hono/deno";
 
-import { generateRequestOptions } from "../packages/server/src/index.ts";
+import {
+  CredentialRequestOptions,
+  generateRequestOptions,
+  verifyResponse,
+} from "../packages/server/src/index.ts";
+
+let currentOptions: CredentialRequestOptions;
 
 const app = new Hono();
 
@@ -16,31 +22,24 @@ app.get("/options", async (ctx) => {
 
   console.log(JSON.stringify(options, null, 2));
 
-  /**
-   * This is an older format of the DC API call. We have to call it this way for now till a
-   * future Chrome update (currently on Chrome Canary 134) adds support for the newer DC API
-   * call structure
-   */
-  const _options = {
-    digital: {
-      providers: [{
-        protocol: "openid4vp",
-        request: options.digital.requests[0],
-      }],
-    },
-  };
-
-  return ctx.json(_options);
+  currentOptions = options;
+
+  return ctx.json(options);
 });
 
 app.post("/verify", async (ctx) => {
   const body = await ctx.req.json();
 
   console.log("verifying presentation", body);
 
-  return ctx.json({
-    verified: "TODO",
+  const verified = await verifyResponse({
+    response: body,
+    options: currentOptions,
   });
+
+  console.log("verified claims:\n", JSON.stringify(verified, null, 2));
+
+  return ctx.json({ verified });
 });
 
 Deno.serve({ hostname: "localhost" }, app.fetch);

example/static/index.html

@@ -70,8 +70,11 @@ <h1>SimpleDigiCreds Example Site</h1>
             let response;
             try {
               response = await navigator.credentials.get(optionsJSON);
-              console.log("Raw response:", response);
-              printDebug("Response", response.data);
+              console.log("Raw presentation:", response);
+              printDebug(
+                "Raw Presentation",
+                JSON.stringify(response.data, null, 2)
+              );
             } catch (err) {
               elemError.innerText = `${err}`;
               console.error(err);
@@ -80,7 +83,10 @@ <h1>SimpleDigiCreds Example Site</h1>
 
             const verification = await fetch("/verify", {
               method: "post",
-              body: response.data,
+              body: JSON.stringify(response.data),
+              headers: {
+                "Content-Type": "application/json",
+              },
             });
             const verificationJSON = await verification.json();
 
@@ -89,7 +95,7 @@ <h1>SimpleDigiCreds Example Site</h1>
               JSON.stringify(verificationJSON, null, 2)
             );
 
-            if (verificationJSON && verificationJSON.verified === true) {
+            if (verificationJSON && verificationJSON.verified) {
               elemSuccess.innerHTML = "Successfully requested a credential!";
             } else {
               elemError.innerHTML = `Oh no, something went wrong! Response: <pre>${JSON.stringify(

packages/server/src/dcapi.ts

@@ -1,5 +1,21 @@
 import type { OID4VPCredentialQuery, OID4VPCredentialQueryMdoc } from './protocols/oid4vp.ts';
 
+/**
+ * Options suitable for passing into `navigator.credentials.get({ digital: { ... } })` in the
+ * browser to request the presentation of a verifiable credential via the Digital Credentials API
+ */
+export type CredentialRequestOptions = {
+  digital: DigitalCredentialRequestOptions;
+};
+
+export type DigitalCredentialRequestOptions = {
+  requests: DigitalCredentialRequest[];
+};
+
+export type DigitalCredentialRequest = {
+  protocol: string;
+  data: DCAPIRequestOID4VP;
+};
 /**
  * OID4VP-specific request parameters
  *
@@ -20,16 +36,6 @@ export type DCAPIRequestOID4VP = {
   };
 };
 
-/**
- * Options suitable for passing into `navigator.credentials.get({ digital: { ... } })` in the
- * browser to request the presentation of a verifiable credential via the Digital Credentials API
- */
-export type DCAPIRequestOptions = {
-  digital: {
-    requests: DCAPIRequestOID4VP[];
-  };
-};
-
 /**
  * The shape of the value returned from a call to `navigator.credentials.get({ digital: { ... } })`
  */

packages/server/src/formats/mdoc/generateSessionTranscript.test.ts

@@ -1,37 +1,40 @@
 import { assertEquals } from '@std/assert';
 
-import type { DCAPIRequestOptions } from '../../dcapi.ts';
+import type { CredentialRequestOptions } from '../../dcapi.ts';
 import { generateSessionTranscript } from './generateSessionTranscript.ts';
 import { base64url } from '../../helpers/index.ts';
 
 Deno.test('should generate OID4VP-specific session transcript', async () => {
-  const options: DCAPIRequestOptions = {
+  const options: CredentialRequestOptions = {
     digital: {
       requests: [
         {
-          response_type: 'vp_token',
-          response_mode: 'dc_api',
-          client_id: 'web-origin:http://localhost:8000',
-          nonce: 'Y_Sl5cgcgTiw7XnikC24SCDvPEFb81gcOp3lrsdSwZ8',
-          dcql_query: {
-            credentials: [
-              {
-                id: 'cred1',
-                format: 'mso_mdoc',
-                meta: { doctype_value: 'org.iso.18013.5.1.mDL' },
-                claims: [
-                  { path: ['org.iso.18013.5.1', 'family_name'] },
-                  { path: ['org.iso.18013.5.1', 'given_name'] },
-                ],
-              },
-            ],
+          protocol: 'openid4vp',
+          data: {
+            response_type: 'vp_token',
+            response_mode: 'dc_api',
+            client_id: 'web-origin:http://localhost:8000',
+            nonce: 'Y_Sl5cgcgTiw7XnikC24SCDvPEFb81gcOp3lrsdSwZ8',
+            dcql_query: {
+              credentials: [
+                {
+                  id: 'cred1',
+                  format: 'mso_mdoc',
+                  meta: { doctype_value: 'org.iso.18013.5.1.mDL' },
+                  claims: [
+                    { path: ['org.iso.18013.5.1', 'family_name'] },
+                    { path: ['org.iso.18013.5.1', 'given_name'] },
+                  ],
+                },
+              ],
+            },
           },
         },
       ],
     },
   };
 
-  const sessionTranscript = await generateSessionTranscript(options.digital.requests[0]);
+  const sessionTranscript = await generateSessionTranscript(options.digital.requests[0].data);
 
   assertEquals(
     sessionTranscript,

packages/server/src/formats/mdoc/verifyMdocPresentation.ts

@@ -5,6 +5,7 @@ import type { DecodedCredentialResponse } from './types.ts';
 import { verifyIssuerSigned } from './verifyIssuerSigned.ts';
 import { verifyDeviceSigned } from './verifyDeviceSigned.ts';
 import { type VerifiedNamespace, verifyNameSpaces } from './verifyNameSpaces.ts';
+import { convertX509BufferToPEM } from '../../helpers/x509/index.ts';
 
 /**
  * Verify an mdoc presentation as returned through the DC API
@@ -42,13 +43,20 @@ export async function verifyMdocPresentation(
   // TODO: In case it's a bad idea to flatten claims like we're doing above
   // verifiedValues[id] = verifiedItems;
 
+  /**
+   * TODO: It's probably not important to return this, and instead verify the certificate chain
+   * as part of verification using trust anchors specified when calling `verifyResponse()`.
+   * If the chain can't be verified then reject the presentation.
+   */
+  const x5cPEM = issuerX5C.map(convertX509BufferToPEM);
+
   return {
     verifiedClaims,
-    issuerX5C,
+    issuerX5C: x5cPEM,
   };
 }
 
 type VerifiedMdocPresentation = {
   verifiedClaims: VerifiedNamespace;
-  issuerX5C: Uint8Array[];
+  issuerX5C: string[];
 };

packages/server/src/generateRequestOptions.test.ts

@@ -22,25 +22,28 @@ Deno.test('Should generate options', () => {
       digital: {
         requests: [
           {
-            response_type: 'vp_token',
-            response_mode: 'dc_api',
-            client_id: 'web-origin:https://digital-credentials.dev',
-            nonce: '9kMlSgHQW8oBv_AdkSaZKM0ajrEUatzg2f24vV6AgnI',
-            dcql_query: {
-              credentials: [
-                {
-                  id: 'cred1',
-                  format: 'mso_mdoc',
-                  meta: {
-                    doctype_value: 'org.iso.18013.5.1.mDL',
+            protocol: 'openid4vp',
+            data: {
+              response_type: 'vp_token',
+              response_mode: 'dc_api',
+              client_id: 'web-origin:https://digital-credentials.dev',
+              nonce: '9kMlSgHQW8oBv_AdkSaZKM0ajrEUatzg2f24vV6AgnI',
+              dcql_query: {
+                credentials: [
+                  {
+                    id: 'cred1',
+                    format: 'mso_mdoc',
+                    meta: {
+                      doctype_value: 'org.iso.18013.5.1.mDL',
+                    },
+                    claims: [
+                      { path: ['org.iso.18013.5.1', 'family_name'] },
+                      { path: ['org.iso.18013.5.1', 'given_name'] },
+                      { path: ['org.iso.18013.5.1', 'age_over_21'] },
+                    ],
                   },
-                  claims: [
-                    { path: ['org.iso.18013.5.1', 'family_name'] },
-                    { path: ['org.iso.18013.5.1', 'given_name'] },
-                    { path: ['org.iso.18013.5.1', 'age_over_21'] },
-                  ],
-                },
-              ],
+                ],
+              },
             },
           },
         ],

packages/server/src/generateRequestOptions.ts

@@ -3,7 +3,7 @@ import type {
   OID4VPCredentialQueryMdoc,
   OID4VPSupportedMdocClaimName,
 } from './protocols/oid4vp.ts';
-import type { DCAPIRequestOptions } from './dcapi.ts';
+import type { CredentialRequestOptions } from './dcapi.ts';
 
 /**
  * Generate credential presentation request options suitable for passing into
@@ -20,7 +20,7 @@ export function generateRequestOptions(
     desiredClaims: OID4VPSupportedMdocClaimName[];
     requestOrigin: string;
   },
-): DCAPIRequestOptions {
+): CredentialRequestOptions {
   const mdocCredentialRequest: OID4VPCredentialQueryMdoc = {
     id: 'cred1',
     format: 'mso_mdoc',
@@ -36,15 +36,19 @@ export function generateRequestOptions(
     digital: {
       requests: [
         {
-          response_type: 'vp_token',
-          response_mode: 'dc_api',
-          client_id: `web-origin:${requestOrigin}`,
-          nonce: generateNonce(),
-          // https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#dcql_query
-          dcql_query: {
-            credentials: [
-              mdocCredentialRequest,
-            ],
+          // https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#name-protocol
+          protocol: 'openid4vp',
+          data: {
+            response_type: 'vp_token',
+            response_mode: 'dc_api',
+            client_id: `web-origin:${requestOrigin}`,
+            nonce: generateNonce(),
+            // https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#dcql_query
+            dcql_query: {
+              credentials: [
+                mdocCredentialRequest,
+              ],
+            },
           },
         },
       ],

packages/server/src/index.ts

@@ -1,6 +1,12 @@
 export { generateRequestOptions } from './generateRequestOptions.ts';
+export { type VerifiedResponse, verifyResponse } from './verifyResponse.ts';
 
-export type { DCAPIRequestOID4VP, DCAPIRequestOptions } from './dcapi.ts';
+export type {
+  CredentialRequestOptions,
+  DCAPIRequestOID4VP,
+  DigitalCredentialRequest,
+  DigitalCredentialRequestOptions,
+} from './dcapi.ts';
 
 export type {
   OID4VPClaimQuery,