SdJwtPresentationConsumer.java

/*
 * Copyright 2024 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.keycloak.sdjwt.consumer;

import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureVerifierContext;
import org.keycloak.sdjwt.IssuerSignedJWT;
import org.keycloak.sdjwt.IssuerSignedJwtVerificationOpts;
import org.keycloak.sdjwt.vp.KeyBindingJwtVerificationOpts;
import org.keycloak.sdjwt.vp.SdJwtVP;

import java.util.ArrayList;
import java.util.List;

/**
 * A component for consuming (verifying) SD-JWT presentations.
 *
 * <p>
 * The purpose is to streamline SD-JWT VP verification beyond signature
 * and disclosure checks of {@link org.keycloak.sdjwt.SdJwtVerificationContext}
 * </p>
 *
 * @author <a href="mailto:Ingrid.Kamga@adorsys.com">Ingrid Kamga</a>
 */
public class SdJwtPresentationConsumer {

    /**
     * Verify SD-JWT presentation against specific requirements.
     *
     * @param sdJwtVP                         the presentation to verify
     * @param presentationRequirements        the requirements on presented claims
     * @param trustedSdJwtIssuers             trusted issuers for the verification
     * @param issuerSignedJwtVerificationOpts policy for Issuer-signed JWT verification
     * @param keyBindingJwtVerificationOpts   policy for Key-binding JWT verification
     * @throws VerificationException if the verification fails for some reason
     */
    public void verifySdJwtPresentation(
            SdJwtVP sdJwtVP,
            PresentationRequirements presentationRequirements,
            List<TrustedSdJwtIssuer> trustedSdJwtIssuers,
            IssuerSignedJwtVerificationOpts issuerSignedJwtVerificationOpts,
            KeyBindingJwtVerificationOpts keyBindingJwtVerificationOpts
    ) throws VerificationException {
        // Retrieve verifying keys for Issuer-signed JWT
        IssuerSignedJWT issuerSignedJWT = sdJwtVP.getIssuerSignedJWT();
        List<SignatureVerifierContext> issuerVerifyingKeys = new ArrayList<>();
        for (TrustedSdJwtIssuer trustedSdJwtIssuer : trustedSdJwtIssuers) {
            List<SignatureVerifierContext> keys = trustedSdJwtIssuer
                    .resolveIssuerVerifyingKeys(issuerSignedJWT);
            issuerVerifyingKeys.addAll(keys);
        }

        // Verify the SD-JWT token cryptographically
        // Pass presentation requirements to enforce that the presented token meets them
        sdJwtVP.getSdJwtVerificationContext()
                .verifyPresentation(
                        issuerVerifyingKeys,
                        issuerSignedJwtVerificationOpts,
                        keyBindingJwtVerificationOpts,
                        presentationRequirements
                );
    }
}