Update VcSdJwt

Author: cicnavi

src/VerifiableCredentials/VcDataModel/Claims/VcCredentialStatusClaimBag.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims;
+
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\ValueAbstracts\ClaimInterface;
+
+class VcCredentialStatusClaimBag implements ClaimInterface
+{
+    /** @var \SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialStatusClaimValue[] */
+    protected array $vcCredentialStatusClaimValueValues;
+
+
+    public function __construct(
+        VcCredentialStatusClaimValue $vcCredentialStatusClaimValue,
+        VcCredentialStatusClaimValue ...$vcCredentialStatusClaimValueValues,
+    ) {
+        $this->vcCredentialStatusClaimValueValues = [
+            $vcCredentialStatusClaimValue,
+            ...$vcCredentialStatusClaimValueValues,
+        ];
+    }
+
+
+    /**
+     * @return mixed[]
+     */
+    public function jsonSerialize(): array
+    {
+        return array_map(
+            fn(
+                VcCredentialStatusClaimValue $vcCredentialStatusClaimValue,
+            ): array => $vcCredentialStatusClaimValue->jsonSerialize(),
+            $this->getValue(),
+        );
+    }
+
+
+    public function getName(): string
+    {
+        return ClaimsEnum::Credential_Subject->value;
+    }
+
+
+    /**
+     * @return \SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialStatusClaimValue[]
+     */
+    public function getValue(): array
+    {
+        return $this->vcCredentialStatusClaimValueValues;
+    }
+}

src/VerifiableCredentials/VcDataModel/Factories/VcDataModelClaimFactory.php

@@ -18,6 +18,7 @@
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcClaimValue;
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialSchemaClaimBag;
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialSchemaClaimValue;
+use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialStatusClaimBag;
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialStatusClaimValue;
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialSubjectClaimBag;
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialSubjectClaimValue;
@@ -214,6 +215,39 @@ public function buildVcCredentialStatusClaimValue(array $data): VcCredentialStat
     }
 
 
+    /**
+     * @param mixed[] $data
+     * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
+     * @throws \SimpleSAML\OpenID\Exceptions\VcDataModelException
+     */
+    public function buildVcCredentialStatusClaimBag(array $data): VcCredentialStatusClaimBag
+    {
+        // If this is a single credential status claim, wrap it in a
+        // CredentialStatusClaimBag.
+        if ($this->helpers->arr()->isAssociative($data)) {
+            return new VcCredentialStatusClaimBag(
+                $this->buildVcCredentialStatusClaimValue($data),
+            );
+        }
+
+        // We have multiple credential status claims. Wrap them in a
+        // CredentialStatusClaimBag.
+        $data = $this->helpers->type()->enforceNonEmptyArrayOfNonEmptyArrays($data);
+
+        $vcCredentialStatusClaims = [];
+        foreach ($data as $credentialStatusClaimValueData) {
+            $vcCredentialStatusClaims[] = $this->buildVcCredentialStatusClaimValue($credentialStatusClaimValueData);
+        }
+
+        $firstCredentialStatusClaim = array_shift($vcCredentialStatusClaims);
+
+        return new VcCredentialStatusClaimBag(
+            $firstCredentialStatusClaim,
+            ...$vcCredentialStatusClaims,
+        );
+    }
+
+
     /**
      * @param non-empty-array<mixed> $data
      * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException

src/VerifiableCredentials/VcDataModel2/VcSdJwt.php

@@ -14,7 +14,7 @@
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\TypeClaimValue;
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcAtContextClaimValue;
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialSchemaClaimBag;
-use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialStatusClaimValue;
+use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialStatusClaimBag;
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcCredentialSubjectClaimBag;
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcEvidenceClaimBag;
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel\Claims\VcIssuerClaimValue;
@@ -41,7 +41,7 @@ class VcSdJwt extends SdJwt implements VerifiableCredentialInterface
 
     protected null|false|VcProofClaimValue $vcProofClaimValue = null;
 
-    protected null|false|VcCredentialStatusClaimValue $vcCredentialStatusClaimValue = null;
+    protected null|false|VcCredentialStatusClaimBag $vcCredentialStatusClaimBag = null;
 
     protected null|false|VcCredentialSchemaClaimBag $vcCredentialSchemaClaimBag = null;
 
@@ -74,6 +74,10 @@ protected function validate(): void
         if (array_key_exists('vp', $payload)) {
             throw new VcDataModelException('SD-JWT VC MUST NOT contain a "vp" claim.');
         }
+
+        // Validate validFrom and validUntil claims
+        $this->getValidFrom();
+        $this->getValidUntil();
     }
 
 
@@ -244,15 +248,23 @@ public function getValidFrom(): DateTimeImmutable
 
         try {
             $validFromStr = $this->helpers->type()->ensureNonEmptyString($validFrom, ClaimsEnum::ValidFrom->value);
-            return $this->validFrom = $this->helpers->dateTime()->fromXsDateTime($validFromStr);
+            $validFrom  = $this->helpers->dateTime()->fromXsDateTime($validFromStr);
         } catch (Exception $exception) {
             throw new VcDataModelException('Invalid Valid From claim.', (int) $exception->getCode(), $exception);
         }
+
+        if ($validFrom->getTimestamp() - $this->timestampValidationLeeway->getInSeconds() > time()) {
+            throw new VcDataModelException('Credential is not valid yet.');
+        }
+
+        return $this->validFrom = $validFrom;
     }
 
 
     /**
-     * Alias for getValidFrom to remain fully backwards compatible with consumers expecting getVcIssuanceDate
+     * Alias for getValidFrom to remain fully backwards compatible with
+     * consumers expecting `getVcIssuanceDate`.
+     *
      * @throws \SimpleSAML\OpenID\Exceptions\VcDataModelException
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
@@ -300,10 +312,16 @@ public function getValidUntil(): ?DateTimeImmutable
 
         try {
             $validUntilStr = $this->helpers->type()->ensureNonEmptyString($validUntil, ClaimsEnum::ValidUntil->value);
-            return $this->validUntil = $this->helpers->dateTime()->fromXsDateTime($validUntilStr);
+            $validUntil = $this->helpers->dateTime()->fromXsDateTime($validUntilStr);
         } catch (Exception $exception) {
             throw new VcDataModelException('Invalid Valid Until claim.', (int) $exception->getCode(), $exception);
         }
+
+        if ($validUntil->getTimestamp() + $this->timestampValidationLeeway->getInSeconds() < time()) {
+            throw new VcDataModelException('Credential is expired.');
+        }
+
+        return $this->validUntil = $validUntil;
     }
 
 
@@ -349,30 +367,32 @@ public function getVcProof(): ?VcProofClaimValue
 
     /**
      * @throws \SimpleSAML\OpenID\Exceptions\VcDataModelException
+     * @throws \SimpleSAML\OpenID\Exceptions\InvalidValueException
+     * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      */
-    public function getVcCredentialStatus(): ?VcCredentialStatusClaimValue
+    public function getVcCredentialStatus(): ?VcCredentialStatusClaimBag
     {
-        if ($this->vcCredentialStatusClaimValue === false) {
+        if ($this->vcCredentialStatusClaimBag === false) {
             return null;
         }
 
-        if ($this->vcCredentialStatusClaimValue instanceof VcCredentialStatusClaimValue) {
-            return $this->vcCredentialStatusClaimValue;
+        if ($this->vcCredentialStatusClaimBag instanceof VcCredentialStatusClaimBag) {
+            return $this->vcCredentialStatusClaimBag;
         }
 
         $vcCredentialStatus = $this->getPayloadClaim(ClaimsEnum::Credential_Status->value);
 
         if (is_null($vcCredentialStatus)) {
-            $this->vcCredentialStatusClaimValue = false;
+            $this->vcCredentialStatusClaimBag = false;
             return null;
         }
 
         if (!is_array($vcCredentialStatus)) {
             throw new VcDataModelException('Invalid Credential Status claim.');
         }
 
-        return $this->vcCredentialStatusClaimValue = $this->claimFactory->forVcDataModel2()
-            ->buildVcCredentialStatusClaimValue($vcCredentialStatus);
+        return $this->vcCredentialStatusClaimBag = $this->claimFactory->forVcDataModel2()
+            ->buildVcCredentialStatusClaimBag($vcCredentialStatus);
     }
 
 

tests/src/VerifiableCredentials/VcDataModel2/VcSdJwtTest.php

@@ -7,6 +7,7 @@
 use DateTimeImmutable;
 use Jose\Component\Signature\JWS;
 use Jose\Component\Signature\Signature;
+use PHPUnit\Framework\Attributes\UsesClass;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 use SimpleSAML\OpenID\Codebooks\CredentialFormatIdentifiersEnum;
@@ -22,6 +23,7 @@
 use SimpleSAML\OpenID\VerifiableCredentials\VcDataModel2\VcSdJwt;
 
 #[\PHPUnit\Framework\Attributes\CoversClass(VcSdJwt::class)]
+#[UsesClass(\SimpleSAML\OpenID\Helpers\DateTime::class)]
 final class VcSdJwtTest extends TestCase
 {
     /** @var \Jose\Component\Signature\Signature&\PHPUnit\Framework\MockObject\MockObject */
@@ -36,13 +38,10 @@ final class VcSdJwtTest extends TestCase
     /** @var \SimpleSAML\OpenID\Helpers\Json&\PHPUnit\Framework\MockObject\MockObject */
     protected MockObject $jsonHelperMock;
 
-    /** @var \SimpleSAML\OpenID\Helpers\DateTime&\PHPUnit\Framework\MockObject\MockObject */
-    protected MockObject $dateTimeHelperMock;
-
     /** @var \SimpleSAML\OpenID\Factories\ClaimFactory&\PHPUnit\Framework\MockObject\Stub */
     protected \PHPUnit\Framework\MockObject\Stub $claimFactoryMock;
 
-    protected array $validPayload = [
+    protected array $expiredPayload = [
         "@context" => [
             "https://www.w3.org/ns/credentials/v2",
             "https://www.w3.org/2018/credentials/examples/v1",
@@ -69,6 +68,8 @@ final class VcSdJwtTest extends TestCase
         "sub" => "did:example:123",
     ];
 
+    protected array $validPayload;
+
     protected array $sampleHeader = [
         'alg' => 'ES256',
         'typ' => 'vc+sd-jwt',
@@ -94,8 +95,16 @@ protected function setUp(): void
         $this->helpersMock->method('type')->willReturn($typeHelperMock);
         $arrHelperMock = $this->createMock(Helpers\Arr::class);
         $this->helpersMock->method('arr')->willReturn($arrHelperMock);
-        $this->dateTimeHelperMock = $this->createMock(Helpers\DateTime::class);
-        $this->helpersMock->method('dateTime')->willReturn($this->dateTimeHelperMock);
+        $dateTimeHelperMock = $this->createMock(Helpers\DateTime::class);
+        $this->helpersMock->method('dateTime')->willReturn($dateTimeHelperMock);
+
+        $realDateTimeHelper = new Helpers\DateTime();
+        $dateTimeHelperMock->method('fromXsDateTime')
+            ->willReturnCallback(fn(string $input): \DateTimeImmutable => $realDateTimeHelper->fromXsDateTime($input));
+        $dateTimeHelperMock->method('fromTimestamp')
+            ->willReturnCallback(
+                fn(int $timestamp): \DateTimeImmutable => $realDateTimeHelper->fromTimestamp($timestamp),
+            );
 
         $typeHelperMock->method('ensureNonEmptyString')->willReturnArgument(0);
         $typeHelperMock->method('ensureInt')->willReturnArgument(0);
@@ -110,6 +119,8 @@ protected function setUp(): void
 
         $this->claimFactoryMock = $this->createStub(ClaimFactory::class);
 
+        $this->validPayload = $this->expiredPayload;
+
         $this->validPayload['exp'] = time() + 3600;
         $this->validPayload['validUntil'] = (new \DateTimeImmutable())
             ->modify('+1 hour')
@@ -119,12 +130,15 @@ protected function setUp(): void
 
     protected function sut(): VcSdJwt
     {
+        $leewayMock = $this->createMock(\SimpleSAML\OpenID\Decorators\DateIntervalDecorator::class);
+        $leewayMock->method('getInSeconds')->willReturn(0);
+
         return new VcSdJwt(
             $this->jwsDecoratorMock,
             $this->createStub(\SimpleSAML\OpenID\Jws\JwsVerifierDecorator::class),
             $this->createStub(\SimpleSAML\OpenID\Jwks\Factories\JwksDecoratorFactory::class),
             $this->createStub(\SimpleSAML\OpenID\Serializers\JwsSerializerManagerDecorator::class),
-            $this->createStub(\SimpleSAML\OpenID\Decorators\DateIntervalDecorator::class),
+            $leewayMock,
             $this->helpersMock,
             $this->claimFactoryMock,
         );
@@ -159,8 +173,6 @@ public function testGetPropertiesReturnTypes(): void
 
         $this->claimFactoryMock->method('forVcDataModel2')->willReturn($vcDataModelClaimFactoryMock);
 
-        $this->dateTimeHelperMock->method('fromXsDateTime')->willReturn(new DateTimeImmutable());
-
         $this->assertInstanceOf(VcAtContextClaimValue::class, $sut->getVcAtContext());
         $this->assertIsString($sut->getVcId());
         $this->assertInstanceOf(TypeClaimValue::class, $sut->getVcType());