Dc api validate origin (#473)

* DC-API: Validate origin

Signed-off-by: Kevin <[email protected]>

* DC-API: refactor

Signed-off-by: Kevin <[email protected]>

---------

Signed-off-by: Kevin <[email protected]>

Author: Dindexx

src/WalletFramework.Oid4Vc/Oid4Vp/DcApi/Models/DcApiRequestBatch.cs

@@ -1,3 +1,4 @@
+using LanguageExt;
 using Newtonsoft.Json.Linq;
 using WalletFramework.Core.Functional;
 using WalletFramework.Core.Functional.Errors;
@@ -24,7 +25,7 @@ private DcApiRequestBatch(DcApiRequestItem[] requests)
 
     private static DcApiRequestBatch Create(DcApiRequestItem[] requests) => new(requests);
 
-    public static Validation<DcApiRequestBatch> From(string requestBatchJson)
+    public static Validation<DcApiRequestBatch> From(string requestBatchJson, Option<Origin> origin)
     {
         if (string.IsNullOrWhiteSpace(requestBatchJson))
         {
@@ -41,10 +42,10 @@ public static Validation<DcApiRequestBatch> From(string requestBatchJson)
             return new InvalidJsonError(requestBatchJson, e).ToInvalid<DcApiRequestBatch>();
         }
 
-        return From(jObject);
+        return From(jObject, origin);
     }
 
-    public static Validation<DcApiRequestBatch> From(JObject requestBatchJson)
+    public static Validation<DcApiRequestBatch> From(JObject requestBatchJson,  Option<Origin> origin)
     {
         var requestsValidation =
             from jToken in requestBatchJson.GetByKey("requests")
@@ -53,7 +54,7 @@ from items in jArray.TraverseAll(token =>
             {
                 return
                     from jObject in token.ToJObject()
-                    from item in DcApiRequestItem.ValidDcApiRequestItem(jObject)
+                    from item in DcApiRequestItem.ValidDcApiRequestItem(jObject, origin)
                     select item;
             })
             select items.ToArray();

src/WalletFramework.Oid4Vc/Oid4Vp/DcApi/Models/DcApiRequestItem.cs

@@ -17,24 +17,26 @@ public record DcApiRequestItem
     /// <summary>
     ///     Gets the data. Contains the actual DcApiRequest.
     /// </summary>
-    public AuthorizationRequest Data { get; }
+    public AuthorizationRequest Data { get; init; }
 
     /// <summary>
     ///     Gets the protocol. Specifies the protocol used for this request.
     /// </summary>
     public string Protocol { get; }
 
-    public Option<Origin> Origin { get; init; } = Option<Origin>.None;
+    public Option<Origin> Origin { get; } = Option<Origin>.None;
 
     private DcApiRequestItem(
         AuthorizationRequest data,
-        string protocol)
+        string protocol,
+        Option<Origin> origin)
     {
         Data = data;
         Protocol = protocol;
+        Origin = origin;
     }
 
-    public static Validation<DcApiRequestItem> ValidDcApiRequestItem(JObject requestItemJson)
+    public static Validation<DcApiRequestItem> ValidDcApiRequestItem(JObject requestItemJson, Option<Origin> origin)
     {
         var protocolValidation = requestItemJson
             .GetByKey("protocol")
@@ -53,17 +55,19 @@ public static Validation<DcApiRequestItem> ValidDcApiRequestItem(JObject request
             .OnSuccess(jObject =>
             {
                 var protocol = protocolValidation.Fallback(DcApiConstants.UnsignedProtocol);
-                return ProcessAuthRequest(jObject, protocol);
+                return ProcessAuthRequest(jObject, protocol, origin);
             });
 
         return Valid(Create)
             .Apply(dataValidation)
-            .Apply(protocolValidation);
+            .Apply(protocolValidation)
+            .Apply(origin);
     }
 
     private static DcApiRequestItem Create(
         AuthorizationRequest data,
-        string protocol) => new(data, protocol);
+        string protocol,
+        Option<Origin> origin) => new(data, protocol, origin);
 
     private static Validation<AuthorizationRequest> LiftRequest(
         Validation<AuthorizationRequestCancellation, AuthorizationRequest> validation)
@@ -78,7 +82,10 @@ private static Validation<AuthorizationRequest> LiftRequest(
         );
     }
 
-    private static Validation<AuthorizationRequest> ProcessAuthRequest(JObject jObject, string protocol)
+    private static Validation<AuthorizationRequest> ProcessAuthRequest(
+        JObject jObject,
+        string protocol,
+        Option<Origin> origin)
     {
         switch (protocol)
         {
@@ -90,6 +97,7 @@ private static Validation<AuthorizationRequest> ProcessAuthRequest(JObject jObje
                 var jToken = jObject.GetByKey("request").UnwrapOrThrow();
                 var result =
                     from requestObject in RequestObject.FromStr(jToken.ToString(), Option<string>.None)
+                    from _ in requestObject.ValidateOrigin(origin)
                     select requestObject.ToAuthorizationRequest();
                 return LiftRequest(result);
             default:

src/WalletFramework.Oid4Vc/Oid4Vp/Errors/OriginMismatchError.cs

@@ -0,0 +1,14 @@
+namespace WalletFramework.Oid4Vc.Oid4Vp.Errors;
+
+public record OriginMismatchError : InvalidRequestError
+{
+    public OriginMismatchError(string message) : base(message)
+    {
+    }
+
+    public OriginMismatchError(string Message, Exception Exception) 
+        : base(Message, Exception)
+    {
+    }
+}
+

src/WalletFramework.Oid4Vc/Oid4Vp/Models/AuthorizationRequest.cs

@@ -5,6 +5,7 @@
 using OneOf;
 using WalletFramework.Core.Functional;
 using WalletFramework.Core.Json;
+using WalletFramework.Oid4Vc.Oid4Vp.DcApi.Models;
 using WalletFramework.Oid4Vc.Oid4Vp.Dcql.Models;
 using WalletFramework.Oid4Vc.Oid4Vp.Errors;
 using WalletFramework.Oid4Vc.Oid4Vp.PresentationExchange.Models;
@@ -101,6 +102,10 @@ public record AuthorizationRequest
     [JsonProperty("verifier_attestations")]
     [JsonConverter(typeof(VerifierAttestationsConverter))]
     public VerifierAttestation[]? VerifierAttestations { get; }
+    
+    [JsonProperty("expected_origins")]
+    [JsonConverter(typeof(ExpectedOriginsConverter))]
+    public Origin[]? ExpectedOrigins { get; }
 
     /// <summary>
     ///     The X509 certificate of the verifier, this property is only set when ClientIDScheme is X509SanDNS.
@@ -134,7 +139,8 @@ private AuthorizationRequest(
         string? clientMetadataUri,
         string? scope,
         string? state,
-        VerifierAttestation[] verifierAttestations)
+        VerifierAttestation[] verifierAttestations,
+        Origin[]? expectedOrigins)
     {
         if (clientId is not null)
         {
@@ -161,6 +167,7 @@ private AuthorizationRequest(
         Scope = scope;
         State = state;
         VerifierAttestations = verifierAttestations;
+        ExpectedOrigins = expectedOrigins;
     }
 
     /// <summary>

src/WalletFramework.Oid4Vc/Oid4Vp/Models/ExpectedOriginsConverter.cs

@@ -0,0 +1,35 @@
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+using WalletFramework.Oid4Vc.Oid4Vp.DcApi.Models;
+
+namespace WalletFramework.Oid4Vc.Oid4Vp.Models;
+
+public class ExpectedOriginsConverter : JsonConverter<Origin[]>
+{
+    public override bool CanRead => true;
+
+    public override bool CanWrite => false;
+
+    public override Origin[]? ReadJson(JsonReader reader, Type objectType,
+        Origin[]? existingValue,
+        bool hasExistingValue, JsonSerializer serializer)
+    {
+        try
+        {
+            var jArray = JArray.Load(reader);
+            var origins = jArray
+                .Select(token => token.ToString())
+                .Where(origin => !string.IsNullOrEmpty(origin))
+                .Select(origin => new Origin(origin))
+                .ToArray();
+            return origins;
+        }
+        catch (Exception)
+        {
+            return null;
+        }
+    }
+
+    public override void WriteJson(JsonWriter writer, Origin[]? value, JsonSerializer serializer) =>
+        throw new NotImplementedException();
+}

src/WalletFramework.Oid4Vc/Oid4Vp/Models/RequestObject.cs

@@ -1,12 +1,16 @@
+using System.Collections;
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using LanguageExt;
+using Newtonsoft.Json.Linq;
 using Org.BouncyCastle.X509;
 using WalletFramework.Core.Functional;
 using WalletFramework.Core.X509;
+using WalletFramework.Oid4Vc.Oid4Vp.DcApi.Models;
 using WalletFramework.Oid4Vc.Oid4Vp.Errors;
 using WalletFramework.Oid4Vc.Oid4Vp.Extensions;
+using static WalletFramework.Core.Functional.ValidationFun;
 using X509Certificate = Org.BouncyCastle.X509.X509Certificate;
 using static WalletFramework.Oid4Vc.Oid4Vp.Models.AuthorizationRequest;
 using static Newtonsoft.Json.Linq.JArray;
@@ -24,12 +28,12 @@ public readonly struct RequestObject
     /// <summary>
     ///     The client ID scheme used to obtain and validate metadata of the verifier.
     /// </summary>
-    public ClientIdScheme ClientIdScheme => AuthorizationRequest.ClientIdScheme;
+    public ClientIdScheme ClientIdScheme => AuthorizationRequest.ClientIdScheme!;
 
     /// <summary>
     ///     The client ID of the verifier.
     /// </summary>
-    public string ClientId => AuthorizationRequest.ClientId;
+    public string ClientId => AuthorizationRequest.ClientId!;
 
     private AuthorizationRequest AuthorizationRequest { get; init; }
 
@@ -66,19 +70,20 @@ public static Validation<AuthorizationRequestCancellation, RequestObject> FromSt
             return new AuthorizationRequestCancellation(Option<Uri>.None, [error]);
         }
 
-        walletNonce.IfSome(nonce => 
+        walletNonce.IfSome(nonce =>
         {
             if (jwt.Payload.TryGetValue("wallet_nonce", out var nonceValue))
             {
                 if (nonceValue.ToString() != nonce)
-                    throw new InvalidOperationException("wallet_nonce in request object does not match the provided wallet_nonce");
+                    throw new InvalidOperationException(
+                        "wallet_nonce in request object does not match the provided wallet_nonce");
             }
             else
             {
                 throw new InvalidOperationException("wallet_nonce is required but not present in the Request Object");
             }
         });
-        
+
         var json = jwt.Payload.SerializeToJson();
 
         return
@@ -90,7 +95,7 @@ from authRequest in CreateAuthorizationRequest(json)
     ///     Gets the authorization request from the request object.
     /// </summary>
     public AuthorizationRequest ToAuthorizationRequest() => AuthorizationRequest;
-    
+
     internal RequestObject WithX509()
     {
         var encodedCertificate = this.GetLeafCertificate().GetEncoded();
@@ -118,7 +123,7 @@ internal RequestObject WithX509()
             AuthorizationRequest = authRequest
         };
     }
-    
+
     internal RequestObject WithClientMetadata(Option<ClientMetadata> clientMetadata)
     {
         var authRequest = AuthorizationRequest with
@@ -138,6 +143,13 @@ internal RequestObject WithClientMetadata(Option<ClientMetadata> clientMetadata)
 /// </summary>
 public static class RequestObjectExtensions
 {
+    public static RequestObject ValidateClientIdPrefix(this RequestObject requestObject) =>
+        requestObject.ClientIdScheme.Value == ClientIdScheme.ClientIdSchemeValue.RedirectUri
+        && requestObject.ToAuthorizationRequest().ResponseUri != requestObject.ClientId
+            ? throw new InvalidOperationException(
+                "When client_id_prefix is 'redirect_uri', the response_uri must match the client_id")
+            : requestObject;
+
     /// <summary>
     ///     Validates the JWT signature.
     /// </summary>
@@ -182,22 +194,15 @@ public static RequestObject ValidateTrustChain(this RequestObject requestObject)
         else
             throw new InvalidOperationException("Validation of trust chain failed");
     }
-    
-    public static RequestObject ValidateClientIdPrefix(this RequestObject requestObject) => 
-        requestObject.ClientIdScheme.Value == ClientIdScheme.ClientIdSchemeValue.RedirectUri 
-        && requestObject.ToAuthorizationRequest().ResponseUri != requestObject.ClientId
-        ? throw new InvalidOperationException("When client_id_prefix is 'redirect_uri', the response_uri must match the client_id")
-        : requestObject;
-    
+
     internal static List<X509Certificate> GetCertificates(this RequestObject requestObject)
     {
         var x5C = ((JwtSecurityToken)requestObject).Header.X5c;
-        var result = Parse(x5C).Select(
-            certAsJToken =>
-            {
-                var certBytes = FromBase64String(certAsJToken.ToString());
-                return new X509CertificateParser().ReadCertificate(certBytes);
-            }).ToList();
+        var result = Parse(x5C).Select(certAsJToken =>
+        {
+            var certBytes = FromBase64String(certAsJToken.ToString());
+            return new X509CertificateParser().ReadCertificate(certBytes);
+        }).ToList();
 
         if (result.Count == 0)
         {
@@ -210,20 +215,49 @@ internal static List<X509Certificate> GetCertificates(this RequestObject request
     internal static X509Certificate GetLeafCertificate(this RequestObject requestObject) =>
         GetCertificates(requestObject).First();
 
+    internal static Validation<AuthorizationRequestCancellation, RequestObject> ValidateOrigin(this RequestObject requestObject, Option<Origin> origin)
+    {
+        var authRequest = requestObject.ToAuthorizationRequest();
+        var responseUriOption = authRequest.GetResponseUriMaybe();
+        
+        return origin.Match(
+            value =>
+            {
+                var expectedOrigins = authRequest.ExpectedOrigins;
+                if (expectedOrigins?.Contains(value) ?? false)
+                {
+                    return Prelude.Success<AuthorizationRequestCancellation, RequestObject>(requestObject);
+                }
+                else
+                {
+                    var expectedOriginsList = string.Join(", ", expectedOrigins?.Select(o => o.Value) ?? []);
+                    var error = new OriginMismatchError(
+                        $"Origin {value} is not present in expected origins: [{expectedOriginsList}]");
+                    return new AuthorizationRequestCancellation(responseUriOption, [error]);
+                }
+            },
+            () =>
+            {
+                var error = new OriginMismatchError("Origin is required but not provided");
+                return new AuthorizationRequestCancellation(responseUriOption, [error]);
+            }
+        );
+    }
+
     private static IEnumerable<string> GetSanDnsNames(X509Certificate2 certificate)
     {
         const string sanOid = "2.5.29.17";
         var sanNames = new List<string>();
 
         foreach (var extension in certificate.Extensions)
         {
-            if (extension.Oid.Value != sanOid)
+            if (extension.Oid!.Value != sanOid)
                 continue;
 
-            var sanExtension = (AsnEncodedData)extension;
+            AsnEncodedData sanExtension = extension;
             var sanData = sanExtension.Format(true);
 
-            foreach (var line in sanData.Split(new[] { "\r\n", "\n", "," }, StringSplitOptions.RemoveEmptyEntries))
+            foreach (var line in sanData.Split(["\r\n", "\n", ","], StringSplitOptions.RemoveEmptyEntries))
             {
                 sanNames.Add(line.Split(':', '=').Last().Trim());
             }