@@ -73,34 +73,37 @@ internal class RequestAuthenticator(siopOpenId4VPConfig: SiopOpenId4VPConfig, ht
7373 private val clientAuthenticator = ClientAuthenticator (siopOpenId4VPConfig)
7474 private val signatureVerifier = JarJwtSignatureVerifier (siopOpenId4VPConfig, httpClient)
7575
76- suspend fun authenticate (request : FetchedRequest ): AuthenticatedRequest = coroutineScope {
76+ suspend fun authenticate (request : ReceivedRequest ): AuthenticatedRequest = coroutineScope {
7777 val client = clientAuthenticator.authenticateClient(request)
7878 when (request) {
79- is FetchedRequest . Plain -> {
79+ is ReceivedRequest . Unsigned -> {
8080 AuthenticatedRequest (client, request.requestObject)
8181 }
8282
83- is FetchedRequest .JwtSecured -> {
84- with (signatureVerifier) { verifySignature(client, request.jwt) }
85- AuthenticatedRequest (client, request.jwt.requestObject())
83+ is ReceivedRequest .Signed -> {
84+ val signedJwt = request.ensureSingleSignedRequest()
85+ with (signatureVerifier) { verifySignature(client, signedJwt) }
86+ AuthenticatedRequest (client, signedJwt.requestObject())
8687 }
8788 }
8889 }
8990}
9091
9192internal class ClientAuthenticator (private val siopOpenId4VPConfig : SiopOpenId4VPConfig ) {
92- suspend fun authenticateClient (request : FetchedRequest ): AuthenticatedClient {
93+ suspend fun authenticateClient (request : ReceivedRequest ): AuthenticatedClient {
9394 val requestObject = when (request) {
94- is FetchedRequest .JwtSecured -> request.jwt.requestObject()
95- is FetchedRequest .Plain -> request.requestObject
95+ is ReceivedRequest .Signed -> {
96+ request.ensureSingleSignedRequest().requestObject()
97+ }
98+ is ReceivedRequest .Unsigned -> request.requestObject
9699 }
97100
98101 val (originalClientId, clientIdScheme) = originalClientIdAndScheme(requestObject)
99102 return when (clientIdScheme) {
100103 is Preregistered -> {
101104 val registeredClient = clientIdScheme.clients[originalClientId]
102105 ensureNotNull(registeredClient) { RequestValidationError .InvalidClientId .asException() }
103- if (request is FetchedRequest . JwtSecured ) {
106+ if (request is ReceivedRequest . Signed ) {
104107 ensureNotNull(registeredClient.jarConfig) {
105108 invalidScheme(" $registeredClient cannot place signed request"
106109 }
@@ -109,7 +112,7 @@ internal class ClientAuthenticator(private val siopOpenId4VPConfig: SiopOpenId4V
109112 }
110113
111114 SupportedClientIdScheme .RedirectUri -> {
112- ensure(request is FetchedRequest . Plain ) {
115+ ensure(request is ReceivedRequest . Unsigned ) {
113116 invalidScheme(" ${clientIdScheme.scheme()} cannot be used in signed request"
114117 }
115118 val originalClientIdAsUri =
@@ -118,7 +121,7 @@ internal class ClientAuthenticator(private val siopOpenId4VPConfig: SiopOpenId4V
118121 }
119122
120123 is SupportedClientIdScheme .X509SanDns -> {
121- ensure(request is FetchedRequest . JwtSecured ) {
124+ ensure(request is ReceivedRequest . Signed ) {
122125 invalidScheme(" ${clientIdScheme.scheme()} cannot be used in unsigned request"
123126 }
124127 val chain = x5c(originalClientId, request, clientIdScheme.trust) {
@@ -129,7 +132,7 @@ internal class ClientAuthenticator(private val siopOpenId4VPConfig: SiopOpenId4V
129132 }
130133
131134 is SupportedClientIdScheme .X509SanUri -> {
132- ensure(request is FetchedRequest . JwtSecured ) {
135+ ensure(request is ReceivedRequest . Signed ) {
133136 invalidScheme(" ${clientIdScheme.scheme()} cannot be used in unsigned request"
134137 }
135138 val chain = x5c(originalClientId, request, clientIdScheme.trust) {
@@ -142,7 +145,7 @@ internal class ClientAuthenticator(private val siopOpenId4VPConfig: SiopOpenId4V
142145 }
143146
144147 is SupportedClientIdScheme .DID -> {
145- ensure(request is FetchedRequest . JwtSecured ) {
148+ ensure(request is ReceivedRequest . Signed ) {
146149 invalidScheme(" ${clientIdScheme.scheme()} cannot be used in unsigned request"
147150 }
148151 val originalClientIdAsDID = ensureNotNull(DID .parse(originalClientId).getOrNull()) {
@@ -153,7 +156,7 @@ internal class ClientAuthenticator(private val siopOpenId4VPConfig: SiopOpenId4V
153156 }
154157
155158 is SupportedClientIdScheme .VerifierAttestation -> {
156- ensure(request is FetchedRequest . JwtSecured ) {
159+ ensure(request is ReceivedRequest . Signed ) {
157160 invalidScheme(" ${clientIdScheme.scheme()} cannot be used in unsigned request"
158161 }
159162 val attestedClaims =
@@ -174,11 +177,12 @@ internal class ClientAuthenticator(private val siopOpenId4VPConfig: SiopOpenId4V
174177
175178 private fun x5c (
176179 originalClientId : OriginalClientId ,
177- request : FetchedRequest . JwtSecured ,
180+ request : ReceivedRequest . Signed ,
178181 trust : X509CertificateTrust ,
179182 subjectAlternativeNames : X509Certificate .() -> List <String >,
180183 ): List <X509Certificate > {
181- val x5c = request.jwt.header?.x509CertChain
184+ val jwt = request.ensureSingleSignedRequest()
185+ val x5c = jwt.header?.x509CertChain
182186 ensureNotNull(x5c) { invalidJarJwt(" Missing x5c"
183187 val pubCertChain = x5c.mapNotNull { runCatching { X509CertUtils .parse(it.decode()) }.getOrNull() }
184188 ensure(pubCertChain.isNotEmpty()) { invalidJarJwt(" Invalid x5c"
@@ -192,13 +196,21 @@ internal class ClientAuthenticator(private val siopOpenId4VPConfig: SiopOpenId4V
192196 }
193197}
194198
199+ private fun ReceivedRequest.Signed.ensureSingleSignedRequest (): SignedJWT {
200+ val signedJwts = toSignedJwts()
201+ return ensure(signedJwts.size == 1 ) {
202+ invalidJarJwt(" Multi-signed authorization requests are not yet supported"
203+ }.let { signedJwts[0 ] }
204+ }
205+
195206private suspend fun lookupKeyByDID (
196- request : FetchedRequest . JwtSecured ,
207+ request : ReceivedRequest . Signed ,
197208 clientId : DID ,
198209 lookupPublicKeyByDIDUrl : LookupPublicKeyByDIDUrl ,
199210): PublicKey = withContext(Dispatchers .IO ) {
200211 val keyUrl: AbsoluteDIDUrl = run {
201- val kid = ensureNotNull(request.jwt.header?.keyID) {
212+ val jwt = request.ensureSingleSignedRequest()
213+ val kid = ensureNotNull(jwt.header?.keyID) {
202214 invalidJarJwt(" Missing kid for client_id $clientId "
203215 }
204216 ensureNotNull(AbsoluteDIDUrl .parse(kid).getOrNull()) {
@@ -217,15 +229,16 @@ private suspend fun lookupKeyByDID(
217229private fun verifierAttestation (
218230 clock : Clock ,
219231 supportedScheme : SupportedClientIdScheme .VerifierAttestation ,
220- request : FetchedRequest . JwtSecured ,
232+ request : ReceivedRequest . Signed ,
221233 originalClientId : OriginalClientId ,
222234): VerifierAttestationClaims {
223235 val (trust, skew) = supportedScheme
224236 fun invalidVerifierAttestationJwt (cause : String? ) =
225237 invalidJarJwt(" Invalid VerifierAttestation JWT. Details: $cause "
226238
227239 val verifierAttestationJwt = run {
228- val jwtString = request.jwt.header.customParams[" jwt"
240+ val jwt = request.ensureSingleSignedRequest()
241+ val jwtString = jwt.header.customParams[" jwt"
229242 ensureNotNull(jwtString) { invalidJarJwt(" Missing jwt JOSE Header"
230243 ensure(jwtString is String ) { invalidJarJwt(" jwt JOSE Header doesn't contain a JWT"
231244
0 commit comments