[VCI] Support credential response encryption

Author: QZHelen

app/src/main/java/com/credman/cmwallet/Utils.kt

@@ -77,7 +77,6 @@ fun ecJwkThumbprintSha256(jwk: JSONObject): ByteArray {
         put("y", jwk.get("y"))
     }
     val md = MessageDigest.getInstance("SHA-256")
-    Log.d("helenqinn", jwkWithRequired.toString())
     return md.digest(jwkWithRequired.toString().toByteArray())
 }
 
@@ -188,15 +187,11 @@ fun jwsDeserialization(jws: String): Pair<JSONObject, JSONObject> {
     return Pair(header, JSONObject(payload))
 }
 
-/** ECDH-ES key agreement, A128GCM encryption, JWE Compact Serialization */
-fun jweSerialization(recipientKeyJwk: JSONObject, plainText: String): String {
-    val kid = recipientKeyJwk.optString("kid")
-    val x = recipientKeyJwk.getString("x")
-    val y = recipientKeyJwk.getString("y")
+fun toEcPublicKey(x: String, y: String): PublicKey {
     val kf = KeyFactory.getInstance("EC")
     val parameters = AlgorithmParameters.getInstance("EC")
     parameters.init(ECGenParameterSpec("secp256r1"))
-    val publicKey = kf.generatePublic(
+    return kf.generatePublic(
         ECPublicKeySpec(
             ECPoint(
                 BigInteger(1, x.decodeBase64UrlNoPadding()),
@@ -205,6 +200,12 @@ fun jweSerialization(recipientKeyJwk: JSONObject, plainText: String): String {
             parameters.getParameterSpec(ECParameterSpec::class.java)
         )
     )
+}
+
+/** ECDH-ES key agreement, A128GCM encryption, JWE Compact Serialization */
+fun jweSerialization(recipientKeyJwk: JSONObject, plainText: String): String {
+    val kid = recipientKeyJwk.optString("kid")
+    val publicKey = toEcPublicKey(recipientKeyJwk.getString("x"), recipientKeyJwk.getString("y"))
     val kpg =  KeyPairGenerator.getInstance("EC")
     kpg.initialize(ECGenParameterSpec("secp256r1"))
     val kp = kpg.genKeyPair()
@@ -251,3 +252,63 @@ fun jweSerialization(recipientKeyJwk: JSONObject, plainText: String): String {
     val tagEncoded = tag.toBase64UrlNoPadding()
     return "${headerEncoded}..${ivEncoded}.${ctEncoded}.${tagEncoded}"
 }
+
+fun jweDecrypt(jwe: String, privateKey: PrivateKey): String {
+    val parts = jwe.split(".")
+
+    val headerB64 = parts[0]
+    val ivB64 = parts[2]
+    val ciphertextB64 = parts[3]
+    val tagB64 = parts[4]
+
+    val headerJsonStr = String(headerB64.decodeBase64UrlNoPadding(), Charsets.UTF_8)
+    val header = JSONObject(headerJsonStr)
+
+    val alg = header.optString("alg")
+    val enc = header.optString("enc")
+    require(alg == "ECDH-ES" && enc == "A128GCM") { "Unsupported algorithms: alg=$alg, enc=$enc" }
+
+    val epk = header.getJSONObject("epk")
+    require(epk.getString("crv") == "P-256") { "Only P-256 curve is supported" }
+
+    val publicKey = toEcPublicKey(epk.getString("x"), epk.getString("y"))
+
+    val keyAgreement = KeyAgreement.getInstance("ECDH")
+    keyAgreement.init(privateKey)
+    keyAgreement.doPhase(publicKey, true)
+    val sharedSecret = keyAgreement.generateSecret()
+    val concatKdf = ConcatKeyDerivationFunction("SHA-256")
+
+    val algOctets = "A128GCM".toByteArray()
+    val keydatalen = 128
+
+    val apu = if (header.has("apu")) header.getString("apu").decodeBase64UrlNoPadding() else ByteArray(0)
+    val apv = if (header.has("apv")) header.getString("apv").decodeBase64UrlNoPadding() else ByteArray(0)
+
+    val derivedKey = concatKdf.kdf(
+        sharedSecret,
+        keydatalen,
+        intToBigEndianByteArray(algOctets.size) + algOctets,
+        intToBigEndianByteArray(apu.size) + apu,
+        intToBigEndianByteArray(apv.size) + apv,
+        intToBigEndianByteArray(keydatalen),
+        ByteArray(0)
+    )
+
+    val iv = ivB64.decodeBase64UrlNoPadding()
+    val ciphertext = ciphertextB64.decodeBase64UrlNoPadding()
+    val tag = tagB64.decodeBase64UrlNoPadding()
+
+    val cipher = Cipher.getInstance("AES/GCM/NoPadding")
+    val secretKey = SecretKeySpec(derivedKey, "AES")
+
+    cipher.init(Cipher.DECRYPT_MODE, secretKey, GCMParameterSpec(128, iv))
+
+    cipher.updateAAD(headerB64.toByteArray())
+
+    // In Java/Android, the Cipher expects the ciphertext and authentication tag to be concatenated
+    val combinedCiphertextAndTag = ciphertext + tag
+    val plaintextBytes = cipher.doFinal(combinedCiphertextAndTag)
+
+    return String(plaintextBytes, Charsets.UTF_8)
+}

app/src/main/java/com/credman/cmwallet/openid4vci/OpenId4VCI.kt

@@ -7,11 +7,14 @@ import android.util.Log
 import androidx.compose.ui.input.key.Key
 import com.credman.cmwallet.CmWalletApplication.Companion.TAG
 import com.credman.cmwallet.createJWTES256
+import com.credman.cmwallet.jweDecrypt
 import com.credman.cmwallet.jweSerialization
 import com.credman.cmwallet.loadECPrivateKey
 import com.credman.cmwallet.openid4vci.data.CredentialOffer
 import com.credman.cmwallet.openid4vci.data.CredentialRequest
 import com.credman.cmwallet.openid4vci.data.CredentialResponse
+import com.credman.cmwallet.openid4vci.data.CredentialResponseEncryptionInReuqest
+import com.credman.cmwallet.openid4vci.data.JwkKey
 import com.credman.cmwallet.openid4vci.data.NonceResponse
 import com.credman.cmwallet.openid4vci.data.OauthAuthorizationServer
 import com.credman.cmwallet.openid4vci.data.ParResponse
@@ -294,7 +297,7 @@ class OpenId4VCI(val credentialOfferJson: String) {
         val key = keys.firstOrNull{
             it.alg == "ECDH-ES"
         } ?: throw java.lang.UnsupportedOperationException("No supported encryption key")
-        return JSONObject(Json.encodeToString(key))
+        return JSONObject(json.encodeToString(key))
     }
     fun requireCredentialResponseEncryption(): Boolean = credentialOffer.issuerMetadata.credentialResponseEncryption?.encryptionRequired ?: false
 
@@ -304,7 +307,26 @@ class OpenId4VCI(val credentialOfferJson: String) {
         credentialRequest: CredentialRequest,
         nonce: String? = null,
     ): CredentialResponse {
-        Log.d(TAG, "Credential request: $credentialRequest")
+        var responseEncryptionKey: KeyPair? = null
+        val request: CredentialRequest = if (requireCredentialResponseEncryption()) {
+            Log.d(TAG, "Credential response encryption requested")
+            if (credentialOffer.issuerMetadata.credentialResponseEncryption!!.encValuesSupported.contains("A128GCM") &&
+                credentialOffer.issuerMetadata.credentialResponseEncryption.algValuesSupported.contains("ECDH-ES")) {
+                val kpg = KeyPairGenerator.getInstance("EC")
+                kpg.initialize(ECGenParameterSpec("secp256r1"))
+                responseEncryptionKey = kpg.genKeyPair()
+                credentialRequest.copy(
+                    credentialResponseEncryption = CredentialResponseEncryptionInReuqest(
+                        enc = "A128GCM",
+                        jwk = JwkKey.fromPublicKey(responseEncryptionKey.public, alg = "ECDH-ES")
+                    )
+                )
+            } else {
+                throw UnsupportedOperationException("Unsupported Credential Response encryption")
+            }
+        } else { credentialRequest }
+
+        Log.d(TAG, "Credential request: $request")
         val endpoint = credentialOffer.issuerMetadata.credentialEndpoint
         val md = MessageDigest.getInstance("SHA256")
         val accessTokenHash = md.digest(accessToken.toByteArray()).toBase64UrlNoPadding()
@@ -318,12 +340,12 @@ class OpenId4VCI(val credentialOfferJson: String) {
                 contentType(ContentType("application", "jwt"))
                 setBody(jweSerialization(
                     recipientKeyJwk = getCredentialRequestEncryptionKey(),
-                    plainText = json.encodeToJsonElement(credentialRequest).toString()
+                    plainText = json.encodeToJsonElement(request).toString()
                 ))
             } else {
                 contentType(ContentType.Application.Json)
                 setBody(
-                    json.encodeToJsonElement(credentialRequest)
+                    json.encodeToJsonElement(request)
                 )
             }
         }
@@ -338,7 +360,12 @@ class OpenId4VCI(val credentialOfferJson: String) {
         Log.d(TAG, "Credential response status: ${result.status}")
         Log.d(TAG, "Credential response: ${result.bodyAsText()}")
 
-        return result.body()
+        return if (responseEncryptionKey != null) {
+            val encryptedCredentialResponse = result.bodyAsText()
+            json.decodeFromString<CredentialResponse>(jweDecrypt(encryptedCredentialResponse, responseEncryptionKey.private))
+        } else {
+            result.body()
+        }
     }
 
     suspend fun createJwt(publicKey: PublicKey, privateKey: PrivateKey): String {

app/src/main/java/com/credman/cmwallet/openid4vci/data/CredentialEndpoint.kt

@@ -17,7 +17,14 @@ data class Proofs(
 data class CredentialRequest(
     @SerialName("credential_identifier") val credentialIdentifier: String? = null,
     @SerialName("credential_configuration_id") val credentialConfigurationId: String? = null,
-    @SerialName("proofs") val proofs: Proofs? = null
+    @SerialName("proofs") val proofs: Proofs? = null,
+    @SerialName("credential_response_encryption") val credentialResponseEncryption: CredentialResponseEncryptionInReuqest? = null
+)
+
+@Serializable
+data class CredentialResponseEncryptionInReuqest(
+    @SerialName("jwk") val jwk: JwkKey,
+    @SerialName("enc") val enc: String,
 )
 
 @Serializable

app/src/main/java/com/credman/cmwallet/openid4vci/data/CredentialOfferEndpoint.kt

@@ -1,11 +1,17 @@
 package com.credman.cmwallet.openid4vci.data
 
+import com.credman.cmwallet.toBase64UrlNoPadding
+import com.credman.cmwallet.toFixedByteArray
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.Json
 import kotlinx.serialization.json.JsonContentPolymorphicSerializer
 import kotlinx.serialization.json.JsonElement
+import kotlinx.serialization.json.encodeToJsonElement
 import kotlinx.serialization.json.jsonObject
 import kotlinx.serialization.json.jsonPrimitive
+import java.security.PublicKey
+import java.security.interfaces.ECPublicKey
 
 @Serializable
 data class GrantPreAuthorizedCode(
@@ -31,9 +37,34 @@ data class JwkKey(
     @SerialName("use") val use: String?,
     @SerialName("alg") val alg: String?,
     @SerialName("kid") val kid: String?,
+    @SerialName("crv") val crv: String?,
     @SerialName("x") val x: String?,
     @SerialName("y") val y: String?,
-)
+) {
+    companion object {
+        fun fromPublicKey(publicKey: PublicKey, alg: String?): JwkKey {
+            when (publicKey) {
+                is ECPublicKey -> {
+                    val x = publicKey.w.affineX.toFixedByteArray(32).toBase64UrlNoPadding()
+                    val y = publicKey.w.affineY.toFixedByteArray(32).toBase64UrlNoPadding()
+                    return JwkKey(
+                        kty = "EC",
+                        crv = "P-256",
+                        x = x,
+                        y = y,
+                        kid = null,
+                        use = null,
+                        alg = alg
+                    )
+                }
+
+                else -> {
+                    throw IllegalArgumentException("Only support EC Keys for now")
+                }
+            }
+        }
+    }
+}
 
 @Serializable
 data class Jwks(