chore: check vct scheme to choose hardware/software key

Signed-off-by: Berend Sliedrecht <[email protected]>

apps/funke/constants.ts

@@ -11,3 +11,14 @@ const animoFunkeRelyingPartyCertificate =
   'MIIBAzCBq6ADAgECAhArxq0w60RTDK4WY9HzgcvBMAoGCCqGSM49BAMCMAAwIBcNNzAwMTAxMDAwMDAwWhgPMjI4NjExMjAxNzQ2NDBaMAAwOTATBgcqhkjOPQIBBggqhkjOPQMBBwMiAALcD1XzKepFxWMAOqV+ln1fybBt7DRO5CV0f9A6mRp2xaMlMCMwIQYDVR0RBBowGIYWaHR0cHM6Ly9mdW5rZS5hbmltby5pZDAKBggqhkjOPQQDAgNHADBEAiAfvGG6sqrvzIMWYpJB5VLloo9f51loYXSkKxJIOztlNwIgLLSvEl0Dmp5vtj2buZ2nXQ2RBKxiLbc5eYGeMeoUnjk='
 
 export const trustedX509Certificates = [bdrPidIssuerCertificate, animoFunkeRelyingPartyCertificate]
+
+// https://gitlab.opencode.de/bmi/eudi-wallet/eidas-2.0-architekturkonzept/-/blob/main/architecture-proposal.md#pid-contents
+const sdJwtVcVcts = ['https://example.bmi.bund.de/credential/pid/1.0', 'urn:eu.europa.ec.eudi:pid:1']
+
+// TODO
+const msoMdocNamespaces = ['org.iso.18013.5.1.mDL']
+
+export const pidSchemes = {
+  sdJwtVcVcts,
+  msoMdocNamespaces,
+}

apps/funke/package.json

@@ -10,7 +10,7 @@
 		"prebuild": "APP_VARIANT=development expo prebuild --no-install"
 	},
 	"dependencies": {
-		"@animo-id/expo-ausweis-sdk": "0.0.1-alpha.5",
+		"@animo-id/expo-ausweis-sdk": "0.0.1-alpha.6",
 		"@animo-id/expo-secure-environment": "0.1.0-alpha.1",
 		"@credo-ts/core": "*",
 		"@expo-google-fonts/open-sans": "^0.2.3",

apps/funke/use-cases/ReceivePidUseCase.ts

@@ -1,4 +1,5 @@
 import type { AppAgent } from '@/agent'
+import { pidSchemes } from '@/constants'
 import { AusweisAuthFlow } from '@animo-id/expo-ausweis-sdk'
 import {
   type OpenId4VciRequestTokenResponse,
@@ -114,6 +115,7 @@ export class ReceivePidUseCase {
         resolvedCredentialOffer: this.resolvedCredentialOffer,
         credentialConfigurationIdToRequest,
         clientId: ReceivePidUseCase.CLIENT_ID,
+        pidSchemes,
       })
 
       // TODO: add error handling everywhere to set state to error
@@ -129,7 +131,10 @@ export class ReceivePidUseCase {
   }
 
   private async acquireAccessToken(refreshUrl: string) {
-    this.assertState({ expectedState: 'id-card-auth', newState: 'acquire-access-token' })
+    this.assertState({
+      expectedState: 'id-card-auth',
+      newState: 'acquire-access-token',
+    })
 
     try {
       const authorizationCodeResponse = await fetch(refreshUrl)
@@ -154,7 +159,10 @@ export class ReceivePidUseCase {
         agent: this.agent,
       })
 
-      this.assertState({ expectedState: 'acquire-access-token', newState: 'retrieve-credential' })
+      this.assertState({
+        expectedState: 'acquire-access-token',
+        newState: 'retrieve-credential',
+      })
     } catch (error) {
       this.handleError()
     }
@@ -163,7 +171,10 @@ export class ReceivePidUseCase {
   private assertState({
     expectedState,
     newState,
-  }: { expectedState: ReceivePidUseCase['currentState']; newState?: ReceivePidUseCase['currentState'] }) {
+  }: {
+    expectedState: ReceivePidUseCase['currentState']
+    newState?: ReceivePidUseCase['currentState']
+  }) {
     if (this.currentState !== expectedState) {
       throw new Error(`Expected state to be ${expectedState}. Found ${this.currentState}`)
     }

package.json

@@ -41,7 +41,9 @@
 			"@credo-ts/openid4vc": "0.5.10-alpha-20240805102402",
 			"@credo-ts/question-answer": "0.5.10-alpha-20240805102402",
 			"@credo-ts/react-hooks": "0.6.1",
-			"@credo-ts/react-native": "0.5.10-alpha-20240805102402"
+			"@credo-ts/react-native": "0.5.10-alpha-20240805102402",
+
+			"@animo-id/expo-secure-environment": "0.1.0-alpha.1"
 		},
 		"patchedDependencies": {
 			"@credo-ts/[email protected]": "patches/@[email protected]",

packages/agent/src/invitation/handler.ts

@@ -142,11 +142,13 @@ export const receiveCredentialFromOpenId4VciOffer = async ({
   credentialConfigurationIdToRequest,
   accessToken,
   clientId,
+  pidSchemes,
 }: {
   agent: EitherAgent
   resolvedCredentialOffer: OpenId4VciResolvedCredentialOffer
   credentialConfigurationIdToRequest?: string
   clientId?: string
+  pidSchemes?: { sdJwtVcVcts: Array<string>; msoMdocNamespaces: Array<string> }
 
   // TODO: cNonce should maybe be provided separately (multiple calls can have different c_nonce values)
   accessToken: OpenId4VciRequestTokenResponse
@@ -182,6 +184,7 @@ export const receiveCredentialFromOpenId4VciOffer = async ({
       supportsAllDidMethods,
       supportsJwk,
       credentialFormat,
+      supportedCredentialId,
     }) => {
       // First, we try to pick a did method
       // Prefer did:jwk, otherwise use did:key, otherwise use undefined
@@ -199,26 +202,26 @@ export const receiveCredentialFromOpenId4VciOffer = async ({
         didMethod = 'key'
       }
 
-      let key: Key | undefined = undefined
-
-      // For P-256 we first try secure enclave
-      if (keyType === KeyType.P256) {
-        key = await agent.wallet
-          .createKey({
-            keyType,
-            keyBackend: KeyBackend.SecureElement,
-          })
-          .catch((e) => {
-            agent.config.logger.warn('Could not create a key in the secure element', e as Record<string, unknown>)
-            return agent.wallet.createKey({
-              keyType,
-            })
-          })
-      } else {
-        key = await agent.wallet.createKey({
-          keyType,
-        })
-      }
+      const offeredCredentialConfiguration = supportedCredentialId
+        ? resolvedCredentialOffer.offeredCredentialConfigurations[supportedCredentialId]
+        : undefined
+
+      const shouldKeyBeHardwareBackedForMsoMdoc = false
+      //   offeredCredentialConfiguration?.format === "mso_mdoc" &&
+      //   pidSchemes?.msoMdocNamespaces.includes(
+      //     offeredCredentialConfiguration.namespace
+      //   );
+      const shouldKeyBeHardwareBackedForSdJwtVc =
+        offeredCredentialConfiguration?.format === 'vc+sd-jwt' &&
+        pidSchemes?.sdJwtVcVcts.includes(offeredCredentialConfiguration.vct)
+
+      // TODO: add mso-mdoc config from above
+      const shouldKeyBeHardwareBacked = shouldKeyBeHardwareBackedForSdJwtVc ?? shouldKeyBeHardwareBackedForMsoMdoc
+
+      const key = await agent.wallet.createKey({
+        keyType,
+        keyBackend: shouldKeyBeHardwareBacked ? KeyBackend.SecureElement : KeyBackend.Software,
+      })
 
       if (didMethod) {
         const didResult = await agent.dids.create<JwkDidCreateOptions | KeyDidCreateOptions>({