Merge pull request #1582 from aholovko/fix_issuer_verification

fix: use issuer DID instead of URL when validating issuer

component/wallet-cli/pkg/oidc4vci/oidc4vci_flow.go

@@ -269,7 +269,13 @@ func (f *Flow) Run(ctx context.Context) (*verifiable.Credential, error) {
 			return nil, fmt.Errorf("credential offer is empty")
 		}
 
-		slog.Info("Validating issuer", "url", f.trustRegistryURL)
+		issuerDID := f.wellKnownService.GetIssuerDID()
+
+		if issuerDID == "" {
+			slog.Warn("Issuer DID is empty. Does '/.well-known/openid-credential-issuer' return jwt?")
+		}
+
+		slog.Info("Validating issuer", "did", issuerDID, "url", f.trustRegistryURL)
 
 		credentialOffer := credentialOfferResponse.Credentials[0]
 
@@ -286,7 +292,7 @@ func (f *Flow) Run(ctx context.Context) (*verifiable.Credential, error) {
 
 		if err = trustregistry.NewClient(f.httpClient, f.trustRegistryURL).
 			ValidateIssuer(
-				credentialOfferResponse.CredentialIssuer,
+				issuerDID,
 				"",
 				credentialType,
 				credentialFormat,

component/wallet-cli/pkg/wellknown/wellknown.go

@@ -25,6 +25,7 @@ import (
 type Service struct {
 	HTTPClient  *http.Client
 	VDRRegistry vdrapi.Registry
+	issuerDID   string
 }
 
 // GetWellKnownOpenIDConfiguration returns OIDC Configuration.
@@ -56,12 +57,16 @@ func (s *Service) GetWellKnownOpenIDConfiguration(
 	}
 
 	if jwt.IsJWS(string(wellKnownOpenIDIssuerConfigurationPayload)) {
-		wellKnownOpenIDIssuerConfigurationPayload, err =
+		var issuerDID []byte
+
+		wellKnownOpenIDIssuerConfigurationPayload, issuerDID, err =
 			getWellKnownOpenIDConfigurationJWTPayload(
 				string(wellKnownOpenIDIssuerConfigurationPayload), s.VDRRegistry)
 		if err != nil {
 			return nil, err
 		}
+
+		s.issuerDID = string(issuerDID)
 	}
 
 	if err = json.Unmarshal(wellKnownOpenIDIssuerConfigurationPayload, &oidcConfig); err != nil {
@@ -71,7 +76,7 @@ func (s *Service) GetWellKnownOpenIDConfiguration(
 	return &oidcConfig, nil
 }
 
-func getWellKnownOpenIDConfigurationJWTPayload(rawResponse string, vdrRegistry vdrapi.Registry) ([]byte, error) {
+func getWellKnownOpenIDConfigurationJWTPayload(rawResponse string, vdrRegistry vdrapi.Registry) ([]byte, []byte, error) {
 	jwtVerifier := defaults.NewDefaultProofChecker(vermethod.NewVDRResolver(vdrRegistry))
 
 	_, credentialOfferPayload, err := jwt.ParseAndCheckProof(
@@ -80,19 +85,23 @@ func getWellKnownOpenIDConfigurationJWTPayload(rawResponse string, vdrRegistry v
 		jwt.WithIgnoreClaimsMapDecoding(true),
 	)
 	if err != nil {
-		return nil, fmt.Errorf("parse issuer configuration JWT: %w", err)
+		return nil, nil, fmt.Errorf("parse issuer configuration JWT: %w", err)
 	}
 
 	var fastParser fastjson.Parser
 	v, err := fastParser.ParseBytes(credentialOfferPayload)
 	if err != nil {
-		return nil, fmt.Errorf("decode claims: %w", err)
+		return nil, nil, fmt.Errorf("decode claims: %w", err)
 	}
 
 	sb, err := v.Get("well_known_openid_issuer_configuration").Object()
 	if err != nil {
-		return nil, fmt.Errorf("fastjson.Parser Get well_known_openid_issuer_configuration: %w", err)
+		return nil, nil, fmt.Errorf("fastjson.Parser Get well_known_openid_issuer_configuration: %w", err)
 	}
 
-	return sb.MarshalTo([]byte{}), nil
+	return sb.MarshalTo([]byte{}), v.GetStringBytes("iss"), nil
+}
+
+func (s *Service) GetIssuerDID() string {
+	return s.issuerDID
 }