Fixes for presentation during issuance workflow.

sorotokin · sorotokin · commit aca22c60d981 · 2025-05-02T13:08:33.000-07:00
Minimal PR that brings presentation-during-issuance implementation to the current spec, in particular with DCQL.
(More work will follow up to integrate PresentmentModel with the ProvisioningModel, in particular to select
potentially matching credential(s) more intellegently).

Testing: tested openid4vci issuance workflow with our own openid4vci server implementation.

Signed-off-by: Peter Sorotokin &lt;sorotokin@gmail.com&gt;
diff --git a/multipaz-models/src/commonMain/kotlin/org/multipaz/models/presentment/digitalCredentialsPresentment.kt b/multipaz-models/src/commonMain/kotlin/org/multipaz/models/presentment/digitalCredentialsPresentment.kt
@@ -296,7 +296,7 @@ private suspend fun digitalCredentialsOpenID4VPProtocol(
 
     val nonce = req["nonce"]!!.jsonPrimitive.content
     val responseMode = req["response_mode"]!!.jsonPrimitive.content
-    if (!(responseMode == "dc_api" || responseMode == "dc_api.jwt")) {
+    if (!(responseMode == "dc_api" || responseMode == "dc_api.jwt" || responseMode == "direct_post.jwt")) {
         // TODO: in the future, flat out reject requests that doesn't use encrypted response
         throw IllegalArgumentException("Unexpected response_mode $responseMode")
     }
@@ -340,7 +340,7 @@ private suspend fun digitalCredentialsOpenID4VPProtocol(
     var reEncAlg: Algorithm = Algorithm.UNSET
     val reReaderPublicKey: EcPublicKey? = when (responseMode) {
         "dc_api" -> null
-        "dc_api.jwt" -> {
+        "dc_api.jwt", "direct_post.jwt" -> {
             val clientMetadata = req["client_metadata"]!!.jsonObject
             val reAlg = clientMetadata["authorization_encrypted_response_alg"]!!.jsonPrimitive.content
             if (reAlg != "ECDH-ES") {
diff --git a/samples/testapp/src/commonMain/kotlin/com/android/identity/testapp/App.kt b/samples/testapp/src/commonMain/kotlin/com/android/identity/testapp/App.kt
@@ -745,8 +745,9 @@ class App private constructor(val promptModel: PromptModel) {
                     }
                     composable(route = ProvisioningTestDestination.route) {
                         ProvisioningTestScreen(
-                            promptModel = promptModel,
-                            provisioningModel = provisioningModel
+                            app = this@App,
+                            provisioningModel = provisioningModel,
+                            presentmentModel = presentmentModel
                         )
                     }
                     composable(route = ConsentModalBottomSheetListDestination.route) {
diff --git a/samples/testapp/src/commonMain/kotlin/com/android/identity/testapp/ui/ProvisioningTestScreen.kt b/samples/testapp/src/commonMain/kotlin/com/android/identity/testapp/ui/ProvisioningTestScreen.kt
@@ -33,7 +33,6 @@ import org.multipaz.provisioning.evidence.EvidenceRequestMessage
 import org.multipaz.provisioning.evidence.EvidenceRequestOpenid4Vp
 import org.multipaz.provisioning.evidence.EvidenceRequestQuestionMultipleChoice
 import org.multipaz.provisioning.evidence.EvidenceRequestQuestionString
-import org.multipaz.provisioning.evidence.EvidenceRequestSetupCloudSecureArea
 import org.multipaz.provisioning.evidence.EvidenceRequestWeb
 import org.multipaz.provisioning.evidence.EvidenceResponseCreatePassphrase
 import org.multipaz.provisioning.evidence.EvidenceResponseMessage
@@ -44,28 +43,48 @@ import com.android.identity.testapp.provisioning.model.ProvisioningModel
 import kotlinx.coroutines.delay
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.withContext
+import kotlinx.serialization.json.Json
+import kotlinx.serialization.json.buildJsonObject
+import kotlinx.serialization.json.jsonObject
+import kotlinx.serialization.json.jsonPrimitive
+import kotlinx.serialization.json.put
+import org.jetbrains.compose.resources.painterResource
 import org.multipaz.compose.PassphraseEntryField
+import org.multipaz.compose.presentment.Presentment
 import org.multipaz.compose.webview.RichText
 import org.multipaz.credential.Credential
-import org.multipaz.prompt.PromptModel
+import org.multipaz.models.presentment.DigitalCredentialsPresentmentMechanism
+import org.multipaz.models.presentment.PresentmentModel
 import org.multipaz.provisioning.ApplicationSupport
 import org.multipaz.provisioning.LandingUrlUnknownException
 import org.multipaz.provisioning.evidence.EvidenceRequestNotificationPermission
 import org.multipaz.provisioning.evidence.EvidenceResponseNotificationPermission
-import org.multipaz.securearea.SecureAreaRepository
-import org.multipaz.securearea.cloud.CloudSecureArea
+import org.multipaz.provisioning.evidence.EvidenceResponseOpenid4Vp
+import org.multipaz.testapp.App
+import org.multipaz.testapp.TestAppPresentmentSource
+import org.multipaz.testapp.platformAppIcon
+import org.multipaz.testapp.platformAppName
 import org.multipaz.util.Logger
 import kotlin.time.Duration.Companion.seconds
 
 @Composable
-fun ProvisioningTestScreen(promptModel: PromptModel, provisioningModel: ProvisioningModel) {
+fun ProvisioningTestScreen(
+    app: App,
+    provisioningModel: ProvisioningModel,
+    presentmentModel: PresentmentModel
+) {
     LaunchedEffect(provisioningModel) {
         provisioningModel.run()
     }
     val provisioningState = provisioningModel.state.collectAsState(ProvisioningModel.Initial).value
     Column {
         if (provisioningState is ProvisioningModel.EvidenceRequested) {
-            RequestEvidence(provisioningModel, promptModel, provisioningState)
+            RequestEvidence(
+                app,
+                provisioningModel,
+                presentmentModel,
+                provisioningState
+            )
         } else {
             val text = when (provisioningState) {
                 ProvisioningModel.Initial -> "Starting provisioning..."
@@ -91,13 +110,14 @@ fun ProvisioningTestScreen(promptModel: PromptModel, provisioningModel: Provisio
 
 @Composable
 private fun RequestEvidence(
+    app: App,
     provisioningModel: ProvisioningModel,
-    promptModel: PromptModel,
+    presentmentModel: PresentmentModel,
     request: ProvisioningModel.EvidenceRequested
 ) {
     val index = remember { mutableIntStateOf(0) }
     val evidenceRequest = request.evidenceRequests[index.value]
-    val coroutineScope = rememberCoroutineScope { promptModel }
+    val coroutineScope = rememberCoroutineScope { app.promptModel }
     when (evidenceRequest) {
         is EvidenceRequestQuestionString -> {
             EvidenceRequestQuestionStringView(
@@ -154,7 +174,10 @@ private fun RequestEvidence(
 
         is EvidenceRequestOpenid4Vp -> {
             EvidenceRequestOpenid4VpView(
+                app = app,
+                provisioningModel = provisioningModel,
                 evidenceRequest = evidenceRequest,
+                presentmentModel = presentmentModel,
                 viableCredentials = request.credentials,
                 onNextEvidenceRequest = {
                     index.value++
@@ -542,31 +565,81 @@ private suspend fun handleLanding(
 
 @Composable
 fun EvidenceRequestOpenid4VpView(
+    app: App,
+    provisioningModel: ProvisioningModel,
     evidenceRequest: EvidenceRequestOpenid4Vp,
+    presentmentModel: PresentmentModel,
     viableCredentials: List<Credential>,
     onNextEvidenceRequest: () -> Unit
 ) {
-    Column {
-        Row(
-            modifier = Modifier.fillMaxWidth(),
-            horizontalArrangement = Arrangement.Center
-        ) {
-            Text(
-                text = "Presentation during issuance is not yet implemented",
-                textAlign = TextAlign.Center,
-                modifier = Modifier.padding(8.dp),
-                style = MaterialTheme.typography.titleLarge
-            )
-        }
-        Row(
-            modifier = Modifier.fillMaxWidth(),
-            horizontalArrangement = Arrangement.Center
-        )  {
-            Button(
-                modifier = Modifier.padding(8.dp),
-                onClick = onNextEvidenceRequest
+    val coroutineScope = rememberCoroutineScope()
+    val presenting = remember { mutableStateOf(false) }
+    if (presenting.value) {
+        Presentment(
+            presentmentModel = presentmentModel,
+            promptModel = app.promptModel,
+            documentTypeRepository = app.documentTypeRepository,
+            source = TestAppPresentmentSource(app),
+            onPresentmentComplete = { presenting.value = false},
+            appName = platformAppName,
+            appIconPainter = painterResource(platformAppIcon),
+        )
+    } else {
+        Column {
+            Row(
+                modifier = Modifier.fillMaxWidth(),
+                horizontalArrangement = Arrangement.Center
+            ) {
+                Text(
+                    text = "Presentation during issuance",
+                    textAlign = TextAlign.Center,
+                    modifier = Modifier.padding(8.dp),
+                    style = MaterialTheme.typography.titleLarge
+                )
+            }
+            Row(
+                modifier = Modifier.fillMaxWidth(),
+                horizontalArrangement = Arrangement.Center
             ) {
-                Text(text = evidenceRequest.cancelText ?: "Use browser")
+                Button(
+                    modifier = Modifier.padding(8.dp),
+                    onClick = {
+                        presentmentModel.reset()
+                        val mechanism = object : DigitalCredentialsPresentmentMechanism(
+                            appId = "",
+                            webOrigin = evidenceRequest.originUri,
+                            protocol = "openid4vp",
+                            request = buildJsonObject {
+                                put("request", evidenceRequest.request)
+                            }.toString(),
+                            document = viableCredentials.first().document
+                        ) {
+                            override fun sendResponse(response: String) {
+                                coroutineScope.launch {
+                                    val json = Json.parseToJsonElement(response).jsonObject
+                                    provisioningModel.provideEvidence(
+                                        EvidenceResponseOpenid4Vp(json["response"]!!.jsonPrimitive.content)
+                                    )
+                                }
+                            }
+
+                            override fun close() {
+                                presenting.value = false
+                            }
+                        }
+                        presentmentModel.setConnecting()
+                        presentmentModel.setMechanism(mechanism)
+                        presenting.value = true
+                    }
+                ) {
+                    Text(text = "Present Credential")
+                }
+                Button(
+                    modifier = Modifier.padding(8.dp),
+                    onClick = onNextEvidenceRequest
+                ) {
+                    Text(text = evidenceRequest.cancelText ?: "Use browser")
+                }
             }
         }
     }
diff --git a/server/src/main/java/org/multipaz/server/openid4vci/Openid4VpResponseServlet.kt b/server/src/main/java/org/multipaz/server/openid4vci/Openid4VpResponseServlet.kt
@@ -55,8 +55,6 @@ class Openid4VpResponseServlet: BaseServlet() {
         val decrypter = ECDHDecrypter(encKey)
         encryptedJWT.decrypt(decrypter)
 
-        val vpToken = encryptedJWT.jwtClaimsSet.getClaim("vp_token") as String
-        val deviceResponse = vpToken.fromBase64Url()
         val responseUri = "$baseUrl/openid4vp-response"
 
         val sessionTranscript = createSessionTranscriptOpenID4VP(
@@ -66,6 +64,12 @@ class Openid4VpResponseServlet: BaseServlet() {
             mdocGeneratedNonce = encryptedJWT.header.agreementPartyUInfo.toString()
         )
 
+
+        val vpTokenMap = encryptedJWT.jwtClaimsSet.getClaim("vp_token") as Map<*,*>
+
+        // "cred1" is id that we specified in request DCQL.
+        val deviceResponse = (vpTokenMap["cred1"] as String).fromBase64Url()
+
         val parser = DeviceResponseParser(deviceResponse, sessionTranscript)
         val parsedResponse = parser.parse()
 
diff --git a/server/src/main/java/org/multipaz/server/openid4vci/openid4vp.kt b/server/src/main/java/org/multipaz/server/openid4vci/openid4vp.kt
@@ -22,9 +22,12 @@ import kotlinx.datetime.plus
 import kotlinx.serialization.json.JsonObject
 import kotlinx.serialization.json.JsonPrimitive
 import kotlinx.serialization.json.add
+import kotlinx.serialization.json.addJsonObject
 import kotlinx.serialization.json.buildJsonArray
 import kotlinx.serialization.json.buildJsonObject
 import kotlinx.serialization.json.put
+import kotlinx.serialization.json.putJsonArray
+import kotlinx.serialization.json.putJsonObject
 import kotlin.random.Random
 
 data class Openid4VpSession(
@@ -46,22 +49,72 @@ fun initiateOpenid4Vp(
 
     val header = buildJsonObject {
         put("typ", JsonPrimitive("oauth-authz-req+jwt"))
-        put("alg", JsonPrimitive(publicKey.curve.defaultSigningAlgorithm.joseAlgorithmIdentifier))
-        put("jwk", publicKey.toJson(null))
+        put("alg", JsonPrimitive(publicKey.curve.defaultSigningAlgorithmFullySpecified.joseAlgorithmIdentifier))
+        //put("jwk", publicKey.toJson(null))
         put("x5c", buildJsonArray {
             for (cert in singleUseReaderKeyCertChain.certificates) {
                 add(cert.encodedCertificate.toBase64Url())
             }
         })
     }.toString().toByteArray().toBase64Url()
 
+    val credFormat = "mdoc"
+
     val body = buildJsonObject {
         put("client_id", clientId)
         put("response_uri", responseUri)
         put("response_type", "vp_token")
         put("response_mode", "direct_post.jwt")
         put("nonce", nonce)
         put("state", state)
+        putJsonObject("dcql_query") {
+            putJsonArray("credentials") {
+                if (credFormat == "vc") {
+                    addJsonObject {
+                        put("id", JsonPrimitive("cred1"))
+                        put("format", JsonPrimitive("dc+sd-jwt"))
+                        putJsonObject("meta") {
+                            put("vct_values",
+                                buildJsonArray {
+                                    add(JsonPrimitive(request.vcRequest!!.vct))
+                                }
+                            )
+                        }
+                        putJsonArray("claims") {
+                            // TODO: support path-based claims, e.g. ["address", "postal_code"]
+                            for (claim in request.vcRequest!!.claimsToRequest) {
+                                addJsonObject {
+                                    putJsonArray("path") {
+                                        add(JsonPrimitive(claim.identifier))
+                                    }
+                                }
+                            }
+                        }
+                    }
+                } else {
+                    addJsonObject {
+                        put("id", JsonPrimitive("cred1"))
+                        put("format", JsonPrimitive("mso_mdoc"))
+                        putJsonObject("meta") {
+                            put("doctype_value", JsonPrimitive(request.mdocRequest!!.docType))
+                        }
+                        putJsonArray("claims") {
+                            for (ns in request.mdocRequest!!.namespacesToRequest) {
+                                for ((de, intentToRetain) in ns.dataElementsToRequest) {
+                                    addJsonObject {
+                                        putJsonArray("path") {
+                                            add(JsonPrimitive(ns.namespace))
+                                            add(JsonPrimitive(de.attribute.identifier))
+                                        }
+                                        put("intent_to_retain", JsonPrimitive(intentToRetain))
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
         put("presentation_definition", mdocCalcPresentationDefinition(request))
         put("client_metadata", calcClientMetadata(singleUseReaderKeyPriv.publicKey))
     }.toString().toByteArray().toBase64Url()
@@ -176,7 +229,7 @@ private fun calcClientMetadata(publicKey: EcPublicKey): JsonObject {
     }
     return buildJsonObject {
         put("authorization_encrypted_response_alg", "ECDH-ES")
-        put("authorization_encrypted_response_enc", "A128CBC-HS256")
+        put("authorization_encrypted_response_enc", "A128GCM")
         put("response_mode", "direct_post.jwt")
         put("vp_formats", formats)
         put("vp_formats_supported", formats)

Original file line number	Diff line number	Diff line change
`@@ -745,8 +745,9 @@ class App private constructor(val promptModel: PromptModel) {`
`745`	`745`	`}`
`746`	`746`	`composable(route = ProvisioningTestDestination.route) {`
`747`	`747`	`ProvisioningTestScreen(`
`748`		`- promptModel = promptModel,`
`749`		`- provisioningModel = provisioningModel`
	`748`	`+ app = this@App,`
	`749`	`+ provisioningModel = provisioningModel,`
	`750`	`+ presentmentModel = presentmentModel`
`750`	`751`	`)`
`751`	`752`	`}`
`752`	`753`	`composable(route = ConsentModalBottomSheetListDestination.route) {`