Merge branch 'refac' into feature/italia#299-Presentation-Submission

.gitignore

@@ -169,4 +169,8 @@ env
 
 .DS_Store
 
-docs/source
+docs/source
+
+# VSCode
+#  VSCode specific settings
+.vscode/

docs/SD-JWT.md

@@ -0,0 +1,150 @@
+# sd-jwt-python Fork with cryptojwt
+
+## Introduction
+
+This module is a fork of [sd-jwt-python](https://github.com/openwallet-foundation-labs/sd-jwt-python) project. It has been adapted to use the [`cryptojwt`](https://github.com/IdentityPython/JWTConnect-Python-CryptoJWT) library as the core JWT implementation. 
+
+
+If you're familiar with the original `sd-jwt-python` library, this fork retains similar functionality with minimal API changes, if needed.
+
+---
+
+## Features
+
+- **SD-JWT Support**: Implements the Selective Disclosure JWT standard.
+- **`cryptojwt` Integration**: Leverages a mature and feature-rich library for JWT operations.
+- **Backward Compatibility**: Minimal changes required for existing users of `sd-jwt-python`.
+- **Improved Flexibility**: Extensible for custom SD-JWT use cases.
+
+---
+
+# SD-JWT Library Usage Documentation
+
+## Introduction
+
+This library provides an implementation of the SD-JWT (Selective Disclosure for JWT) standard. This document explains how to create and verify a Selected-Disclosure JWT (SD-JWT) using the EUDI Wallet IT Python library. It also covers how to validate proof of possession enabling three key operations:
+1. **Issuer**: Generate an SD-JWT with selective disclosure capabilities.
+2. **Holder**: Select claims to disclose and create a presentation.
+3. **Verifier**: Validate the SD-JWT and verify the disclosed claims.
+
+### Requirements
+- Python version as configured in the CI of this project.
+- Install the library via `pip`:
+```bash
+pip install pyeudiw
+```
+
+- **Key Requirements**:
+  - All keys must be in JWK (JSON Web Key) format, conforming to [RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517).
+  - You can use a library like `cryptojwt` to generate or manage JWKs. Example:
+
+```bash
+from cryptojwt.jwk.ec import new_ec_key
+
+# Generate an EC key pair
+issuer_private_key = new_ec_key('P-256')
+
+# Serialize the keys
+issuer_keys = [issuer_private_key.serialize(private=True)]  # List of private keys
+public_key = issuer_private_key.serialize()  # Public key
+```
+---
+
+## 1. Issuer: Generating an SD-JWT
+
+The Issuer creates an SD-JWT using the user's claims (`user_claims`) and a private key in JWK format to sign the token.
+
+### Example
+
+```bash
+from pyeudiw.sd_jwt.issuer import SDJWTIssuer
+
+# User claims
+user_claims = {
+    "sub": "john_doe_42",
+    "given_name": "John",
+    "family_name": "Doe",
+    "email": "[email protected]",
+}
+
+# Generate private keys
+issuer_private_key = new_ec_key('P-256')
+issuer_keys = [issuer_private_key.serialize(private=True)]  # List of private JWKs
+holder_key = new_ec_key('P-256').serialize(private=True)    # Holder private key (optional)
+
+# Create SD-JWT
+sdjwt_issuer = SDJWTIssuer(
+    user_claims=user_claims,
+    issuer_keys=issuer_keys,       # List of private JWKs
+    holder_key=holder_key,         # Holder key (optional)
+    add_decoy_claims=True,         # Add decoy claims for privacy
+    serialization_format="compact" # Compact JWS format
+)
+
+# Output SD-JWT and disclosures
+print("SD-JWT Issuance:", sdjwt_issuer.sd_jwt_issuance)
+```
+
+---
+
+## 2. Holder: Creating a Selective Disclosure Presentation
+
+The Holder receives the SD-JWT from the Issuer and selects which claims to disclose to the Verifier.
+
+### Example
+
+```bash
+from pyeudiw.sd_jwt.holder import SDJWTHolder
+
+# Claims to disclose
+holder_disclosed_claims = {
+    "given_name": True,
+    "family_name": True
+}
+
+# Initialize Holder
+sdjwt_holder = SDJWTHolder(sdjwt_issuer.sd_jwt_issuance)
+
+# Create presentation with selected claims
+sdjwt_holder.create_presentation(
+    disclosed_claims=holder_disclosed_claims,
+    nonce=None,             # Optional: Used for key binding
+    verifier=None,          # Optional: Verifier identifier for key binding
+    holder_key=holder_key   # Optional: Holder private key for key binding
+)
+
+# Output the presentation
+print("SD-JWT Presentation:", sdjwt_holder.sd_jwt_presentation)
+```
+
+## 3. Verifier: Verifying an SD-JWT
+
+The Verifier validates the SD-JWT and checks the disclosed claims.
+
+### Example
+
+```python
+from pyeudiw.sd_jwt.verifier import SDJWTVerifier
+
+# Callback to retrieve Issuer's public key
+def get_issuer_public_key(issuer, header_parameters):
+    # Return the public key(s) in JWK format
+    return [issuer_private_key.serialize()]
+
+# Initialize Verifier
+sdjwt_verifier = SDJWTVerifier(
+    sdjwt_presentation=sdjwt_holder.sd_jwt_presentation,
+    cb_get_issuer_key=get_issuer_public_key
+)
+
+# Verify and retrieve payload
+verified_payload = sdjwt_verifier.get_verified_payload()
+
+# Verified claims
+print("Verified Claims:", verified_payload)
+```
+
+
+---
+
+```

example/satosa/integration_test/.env.example

@@ -0,0 +1 @@
+PYEUDIW_MONGO_TEST_AUTH_INLINE=satosa:thatpassword@

example/satosa/integration_test/README.md

@@ -7,15 +7,41 @@ This integration test will verify a full authentication flow of a simulated IT-W
 ### Environment
 
 An up an running Openid4VP Relying Party is a requirement of this project.
-The intended Relying Party of this integration test is the example one provided in the repostiory [https://github.com/italia/Satosa-Saml2Spid](https://github.com/italia/Satosa-Saml2Spid).
+The intended Relying Party of this integration test is the example one provided in the repository [https://github.com/italia/Satosa-Saml2Spid](https://github.com/italia/Satosa-Saml2Spid).
 That project will provide full instruction on how to setup such an environment with Docker.
 
-Before starting, make sure that the `pyeudiw_backend.yaml` is properly configured and included in the file `proxy_conf.yaml` that is running in your Docker environemnt.
+Before starting, make sure that the `pyeudiw_backend.yaml` is properly configured and included in the file `proxy_conf.yaml` that is running in your Docker environment.
 This project folder always provide up to date example of the pyeudiw plugin configuration in the file [pyeudiw_backend.yaml](./pyeudiw_backend.yaml), as well as other configuration file of the module in [static](./static/) and [template](./template/) folders.
 
+#### MongoDB Configuration for Tests
+
+The MongoDB connection is configured dynamically using the environment variable `PYEUDIW_MONGO_TEST_AUTH_INLINE`.
+
+#### How It Works
+- The value of `PYEUDIW_MONGO_TEST_AUTH_INLINE` should be in the format `username:password@`.
+- If the variable is not set, the configuration defaults to:
+  - **Authentication**: Defaults to empty string.
+  - **MongoDB URL**: `mongodb://localhost:27017/?timeoutMS=2000`.
+
+#### Example Usage
+1. **With Authentication**:
+   Set the environment variable:
+   ```bash
+   export PYEUDIW_MONGO_TEST_AUTH_INLINE="satosa:thatpassword@"
+   ```
+
+   or just using `.env` file
+
+#### Custom Behavior
+You can override the default credentials by setting the environment variable:
+
+```bash
+export PYEUDIW_MONGO_TEST_AUTH_INLINE="customuser:custompassword@"
+```
+
 ### Dependencies
 
-Requirements eexclusive to the integration test can be installed with
+Requirements exclusive to the integration test can be installed with
 
     pip install -r requirements_test.txt
 

example/satosa/integration_test/commons.py

@@ -1,33 +1,32 @@
 import base64
+from pyeudiw.tools.utils import exp_from_now, iat_now
 from bs4 import BeautifulSoup
 import datetime
 import requests
 from typing import Any, Literal
 
+from io import StringIO
 from pyeudiw.jwk import JWK
-from pyeudiw.jwt import DEFAULT_SIG_KTY_MAP, JWEHelper
+from pyeudiw.jwt import DEFAULT_SIGN_KTY_TO_ALG, JWEHelper
 from pyeudiw.jwt.utils import decode_jwt_payload
-from pyeudiw.sd_jwt import (
-    import_ec,
-    issue_sd_jwt,
-    load_specification_from_yaml_string
-)
+from pyeudiw.sd_jwt.issuer import SDJWTIssuer
+from pyeudiw.sd_jwt.utils.yaml_specification import _yaml_load_specification
+from cryptojwt.jwk.jwk import key_from_jwk_dict
 from pyeudiw.storage.base_storage import TrustType
 from pyeudiw.storage.db_engine import DBEngine
 from pyeudiw.tests.federation.base import (
     EXP,
     ta_ec,
     ta_ec_signed,
     leaf_cred,
-    leaf_cred_jwk,
     leaf_cred_jwk_prot,
     leaf_cred_signed,
     leaf_wallet,
     leaf_wallet_jwk,
     leaf_wallet_signed,
-    trust_chain_issuer
 )
-from sd_jwt.holder import SDJWTHolder
+from pyeudiw.sd_jwt.holder import SDJWTHolder
+from pyeudiw.trust.model.trust_source import TrustSourceData
 from saml2_sp import saml2_request
 
 from settings import (
@@ -53,6 +52,15 @@
     "default_exp": 1024,
     "key_binding": True
 }
+CREDENTIAL_ISSUER_TRUST_SOURCE_Dict = {
+    "entity_id": ISSUER_CONF["issuer"],
+    "policies": {},
+    "metadata": {},
+    "revoked": False,
+    "keys": [CREDENTIAL_ISSUER_JWK.as_dict()],
+    "trust_params": {}
+}
+CREDENTIAL_ISSUER_TRUST_SOURCE = TrustSourceData(**CREDENTIAL_ISSUER_TRUST_SOURCE_Dict)
 WALLET_PRIVATE_JWK = JWK(leaf_wallet_jwk.serialize(private=True))
 WALLET_PUBLIC_JWK = JWK(leaf_wallet_jwk.serialize())
 
@@ -83,7 +91,8 @@ def apply_trust_settings(db_engine_inst: DBEngine) -> DBEngine:
     db_engine_inst.add_or_update_trust_attestation(
         entity_id=leaf_cred["iss"],
         attestation=leaf_cred_signed,
-        exp=datetime.datetime.now().isoformat()
+        exp=datetime.datetime.now().isoformat(),
+        trust_type=TrustType.FEDERATION
     )
 
     settings = ISSUER_CONF
@@ -92,28 +101,40 @@ def apply_trust_settings(db_engine_inst: DBEngine) -> DBEngine:
         trust_type=TrustType.DIRECT_TRUST_SD_JWT_VC,
         jwks=[leaf_cred_jwk_prot.serialize()]
     )
+
+    db_engine_inst.add_trust_source(
+        trust_source=CREDENTIAL_ISSUER_TRUST_SOURCE_Dict
+    )
+
     return db_engine_inst
 
 def create_saml_auth_request() -> str:
-    auth_req_url = f"{saml2_request["headers"][0][1]}&idp_hinting=wallet"
+    auth_req_url = f"{saml2_request['headers'][0][1]}&idp_hinting=wallet"
     return auth_req_url
 
 def create_issuer_test_data() -> dict[Literal["jws"] | Literal["issuance"], str]:
     # create a SD-JWT signed by a trusted credential issuer
     settings = ISSUER_CONF
     settings["default_exp"] = 33
-    sd_specification = load_specification_from_yaml_string(
-        settings["sd_specification"]
-    )
 
-    issued_jwt = issue_sd_jwt(
-        sd_specification,
-        settings,
-        CREDENTIAL_ISSUER_JWK,
-        WALLET_PUBLIC_JWK,
-        additional_headers={"typ": "vc+sd-jwt"}
+    user_claims = _yaml_load_specification(StringIO(settings["sd_specification"]))
+    claims = {
+        "iss": settings["issuer"],
+        "iat": iat_now(),
+        "exp": exp_from_now(settings["default_exp"])  # in seconds
+    }
+    user_claims.update(claims)
+    issued_jwt = SDJWTIssuer(
+        issuer_keys=CREDENTIAL_ISSUER_JWK.as_dict(),
+        holder_key=WALLET_PUBLIC_JWK.as_dict(),
+        extra_header_parameters={
+            "typ": "dc+sd-jwt",
+            "kid": CREDENTIAL_ISSUER_JWK.kid
+        },
+        user_claims=user_claims,
+        add_decoy_claims=claims.get("add_decoy_claims", True)
     )
-    return issued_jwt
+    return {"jws": issued_jwt.serialized_sd_jwt, "issuance": issued_jwt.sd_jwt_issuance}
 
 
 def create_holder_test_data(issued_jwt: dict[Literal["jws"] | Literal["issuance"], str], request_nonce: str, request_aud: str) -> str:
@@ -123,6 +144,7 @@ def create_holder_test_data(issued_jwt: dict[Literal["jws"] | Literal["issuance"
         issued_jwt["issuance"],
         serialization_format="compact",
     )
+    holder_private_key: dict | None = WALLET_PRIVATE_JWK.as_dict() if settings.get("key_binding", False) else None
     sdjwt_at_holder.create_presentation(
         claims_to_disclose={
             "tax_id_code": True,
@@ -131,15 +153,8 @@ def create_holder_test_data(issued_jwt: dict[Literal["jws"] | Literal["issuance"
         },
         nonce=request_nonce,
         aud=request_aud,
-        sign_alg=DEFAULT_SIG_KTY_MAP[WALLET_PRIVATE_JWK.key.kty],
-        holder_key=(
-            import_ec(
-                WALLET_PRIVATE_JWK.key.priv_key,
-                kid=WALLET_PRIVATE_JWK.kid
-            )
-            if settings.get("key_binding", False)
-            else None
-        )
+        sign_alg=DEFAULT_SIGN_KTY_TO_ALG[WALLET_PRIVATE_JWK.key.kty],
+        holder_key=holder_private_key
     )
 
     vp_token = sdjwt_at_holder.sd_jwt_presentation

example/satosa/integration_test/cross_device_integration_test.py

@@ -51,7 +51,7 @@ def _get_browser_page(playwright: Playwright) -> Page:
     webkit = playwright.webkit
     rp_browser = webkit.launch(timeout=0)
     rp_context = rp_browser.new_context(
-        ignore_https_errors=True,  # required as otherwise self-sgined certificates are not accepted,
+        ignore_https_errors=True,  # required as otherwise self-signed certificates are not accepted,
         java_script_enabled=True,
         user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36"
     )
@@ -138,7 +138,7 @@ def run(playwright: Playwright):
                 break
         assert result_index != -1, f"missing attribute with name=[{exp_att_name}] in result set"
         obt_att_value = attributes[result_index].contents[0].contents[0]
-        assert exp_att_value == obt_att_value, f"wrong attrirbute parsing expected {exp_att_value}, obtained {obt_att_value}"
+        assert exp_att_value == obt_att_value, f"wrong attribute parsing expected {exp_att_value}, obtained {obt_att_value}"
 
     print("TEST PASSED")
 

example/satosa/integration_test/same_device_integration_test.py

@@ -21,6 +21,7 @@
 db_engine_inst = setup_test_db_engine()
 db_engine_inst = apply_trust_settings(db_engine_inst)
 
+
 def _extract_request_uri(e: Exception) -> str:
     request_uri: str = re.search(r'request_uri=(.*?)(?:\'|\s|$)', urllib.parse.unquote_plus(e.args[0])).group(1)
     request_uri = request_uri.rstrip()
@@ -110,7 +111,7 @@ def _extract_request_uri(e: Exception) -> str:
             break
     assert result_index != -1, f"missing attribute with name=[{exp_att_name}] in result set"
     obt_att_value = attributes[result_index].contents[0].contents[0]
-    assert exp_att_value == obt_att_value, f"wrong attrirbute parsing expected {exp_att_value}, obtained {obt_att_value}"
+    assert exp_att_value == obt_att_value, f"wrong attribute parsing expected {exp_att_value}, obtained {obt_att_value}"
 
 
 print("TEST PASSED")