Use trusted time

QZHelen · QZHelen · commit a36fb19fc886 · 2026-04-30T23:15:55.000Z
diff --git a/app/build.gradle.kts b/app/build.gradle.kts
@@ -76,6 +76,7 @@ dependencies {
     androidTestImplementation(libs.androidx.ui.test.junit4)
     debugImplementation(libs.androidx.ui.tooling)
     debugImplementation(libs.androidx.ui.test.manifest)
+    implementation(libs.play.services.time)
 }
 
 configurations.all {
diff --git a/app/src/main/java/com/credman/cmwallet/CmWalletApplication.kt b/app/src/main/java/com/credman/cmwallet/CmWalletApplication.kt
@@ -14,11 +14,14 @@ import androidx.room.Room
 import com.credman.cmwallet.data.repository.CredentialRepository
 import com.credman.cmwallet.data.room.CredentialDatabase
 import com.credman.cmwallet.mdoc.MDoc
+import com.google.android.gms.time.TrustedTime
+import com.google.android.gms.time.TrustedTimeClient
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.SupervisorJob
 import kotlinx.coroutines.launch
 import java.io.ByteArrayOutputStream
+import java.time.Instant
 import kotlin.io.encoding.ExperimentalEncodingApi
 
 
@@ -29,6 +32,8 @@ class CmWalletApplication : Application() {
 
         lateinit var walletIcon: Bitmap
 
+        var trustedTimeClient: TrustedTimeClient? = null
+
         fun computeClientId(callingAppInfo: CallingAppInfo): String {
             val origin = callingAppInfo.getOrigin(credentialRepo.privAppsJson)
             return if (origin == null) {
@@ -38,15 +43,24 @@ class CmWalletApplication : Application() {
             }
         }
 
+        fun getCurrentTime() =
+            trustedTimeClient?.computeCurrentInstant()?.epochSecond ?: Instant.now().epochSecond
+
         const val TAG = "CmWalletApplication"
     }
 
     private val registryManager = RegistryManager.create(this)
+
     private val applicationScope = CoroutineScope(SupervisorJob() + Dispatchers.Default)
 
     @OptIn(ExperimentalDigitalCredentialApi::class, ExperimentalEncodingApi::class)
     override fun onCreate() {
         super.onCreate()
+        TrustedTime.createClient(this).addOnSuccessListener {
+            trustedTimeClient = it
+        }.addOnFailureListener {
+            Log.e(TAG, "Could not get trusted time client $it")
+        }
 
         walletIcon = resources.getDrawable(R.mipmap.ic_launcher, theme).toBitmap()
 
diff --git a/app/src/main/java/com/credman/cmwallet/Utils.kt b/app/src/main/java/com/credman/cmwallet/Utils.kt
@@ -2,6 +2,7 @@ package com.credman.cmwallet
 
 import android.util.Log
 import com.credman.cmwallet.sdjwt.jwsSignatureToDer
+import com.google.android.gms.time.TrustedTimeClient
 import kotlinx.serialization.encodeToString
 import kotlinx.serialization.json.Json
 import kotlinx.serialization.json.JsonElement
@@ -29,6 +30,7 @@ import java.security.spec.ECParameterSpec
 import java.security.spec.ECPoint
 import java.security.spec.ECPublicKeySpec
 import java.security.spec.PKCS8EncodedKeySpec
+import java.time.Instant
 import java.util.Arrays
 import javax.crypto.Cipher
 import javax.crypto.KeyAgreement
diff --git a/app/src/main/java/com/credman/cmwallet/openid4vci/OpenId4VCI.kt b/app/src/main/java/com/credman/cmwallet/openid4vci/OpenId4VCI.kt
@@ -5,6 +5,7 @@ import android.security.keystore.KeyProperties
 import android.util.Base64
 import android.util.Log
 import com.credman.cmwallet.CmWalletApplication.Companion.TAG
+import com.credman.cmwallet.CmWalletApplication.Companion.getCurrentTime
 import com.credman.cmwallet.createJWTES256
 import com.credman.cmwallet.jweDecrypt
 import com.credman.cmwallet.jweSerialization
@@ -224,7 +225,7 @@ class OpenId4VCI(val credentialOfferJson: String) {
         val clientAttestationPayload = buildJsonObject {
             put("sub", WALLET_CLIENT_ID)
             put("wallet_name", WALLET_NAME)
-            put("exp", Instant.now().epochSecond + 432000 /* 5 days */)
+            put("exp", getCurrentTime() + 432000 /* 5 days */)
             put("cnf", buildJsonObject {
                 put("jwk", kp.public.toJWK())
             })
@@ -240,7 +241,7 @@ class OpenId4VCI(val credentialOfferJson: String) {
         val clientAttestationPopPayload = buildJsonObject {
             put("aud", authServerIdentifier())
             put("jti", Uuid.random().toByteArray().encodeBase64())
-            put("iat", Instant.now().epochSecond)
+            put("iat", getCurrentTime())
             put("challenge", challenge)
         }
         return createJWTES256(clientAttestationPopHeader, clientAttestationPopPayload, kp.private)
@@ -256,7 +257,7 @@ class OpenId4VCI(val credentialOfferJson: String) {
             put("jti", Uuid.random().toByteArray().encodeBase64())
             put("htm", method)
             put("htu", endpoint)
-            put("iat", Instant.now().epochSecond)
+            put("iat", getCurrentTime())
             ath?.let { put("ath", ath) }
             dpopNonce?.let { put("nonce", dpopNonce) }
         }
@@ -405,7 +406,7 @@ class OpenId4VCI(val credentialOfferJson: String) {
                 },
                 payload = buildJsonObject {
                     put("aud", credentialOffer.credentialIssuer)
-                    put("iat", Instant.now().epochSecond)
+                    put("iat", getCurrentTime())
                     put("nonce", nonceResponse.cNonce)
                 },
                 privateKey = privateKey
diff --git a/app/src/main/java/com/credman/cmwallet/sdjwt/SdJwt.kt b/app/src/main/java/com/credman/cmwallet/sdjwt/SdJwt.kt
@@ -9,6 +9,7 @@ import java.math.BigInteger
 import java.nio.ByteBuffer
 import java.security.MessageDigest
 import android.util.Base64
+import com.credman.cmwallet.CmWalletApplication.Companion.getCurrentTime
 import com.credman.cmwallet.createJWTES256
 import com.credman.cmwallet.jwsDeserialization
 import com.credman.cmwallet.loadECPrivateKey
@@ -143,7 +144,7 @@ class SdJwt(
             put("alg", "ES256")
         }
         val kbPayload = buildJsonObject {
-            put("iat", Instant.now().epochSecond)
+            put("iat", getCurrentTime())
             put("aud", aud)
             put("nonce", nonce)
             put("sd_hash", digest)
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -12,6 +12,7 @@ ktorClient = "3.0.1"
 lifecycleRuntimeKtx = "2.6.1"
 activityCompose = "1.10.0"
 composeBom = "2024.12.01"
+playServicesTime = "16.0.1"
 registryDigitalcredentialsMdoc = "1.0.0-SNAPSHOT"
 lifecycleRuntimeComposeAndroid = "2.8.7"
 roomRuntime = "2.6.1"
@@ -53,6 +54,7 @@ ktor-serialization-kotlinx-json = { module = "io.ktor:ktor-serialization-kotlinx
 lifecycle-runtime-ktx = { module = "androidx.lifecycle:lifecycle-runtime-ktx" }
 androidx-lifecycle-runtime-compose-android = { group = "androidx.lifecycle", name = "lifecycle-runtime-compose-android", version.ref = "lifecycleRuntimeComposeAndroid" }
 androidx-room-ktx = { group = "androidx.room", name = "room-ktx", version.ref = "roomRuntime" }
+play-services-time = { module = "com.google.android.gms:play-services-time", version.ref = "playServicesTime" }
 
 [plugins]
 android-application = { id = "com.android.application", version.ref = "agp" }

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,7 @@ dependencies {`
`76`	`76`	`androidTestImplementation(libs.androidx.ui.test.junit4)`
`77`	`77`	`debugImplementation(libs.androidx.ui.tooling)`
`78`	`78`	`debugImplementation(libs.androidx.ui.test.manifest)`
	`79`	`+ implementation(libs.play.services.time)`
`79`	`80`	`}`
`80`	`81`
`81`	`82`	`configurations.all {`