Start with Nonce endpoint

Author: cicnavi

routing/routes/routes.php

@@ -24,6 +24,7 @@
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerConfigurationController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\CredentialIssuerCredentialController;
 use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\JwtVcIssuerConfigurationController;
+use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\NonceController;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
 use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;
 
@@ -126,6 +127,10 @@
         ->controller([CredentialIssuerCredentialController::class, 'credential'])
         ->methods([HttpMethodsEnum::GET->value, HttpMethodsEnum::POST->value]);
 
+    $routes->add(RoutesEnum::CredentialIssuerNonce->name, RoutesEnum::CredentialIssuerNonce->value)
+        ->controller([NonceController::class, 'nonce'])
+        ->methods([HttpMethodsEnum::POST->value]);
+
     /*****************************************************************************************************************
      * SD-JWT-based Verifiable Credentials (SD-JWT VC)
      ****************************************************************************************************************/

src/Codebooks/RoutesEnum.php

@@ -63,6 +63,7 @@ enum RoutesEnum: string
 
     case CredentialIssuerConfiguration = '.well-known/openid-credential-issuer';
     case CredentialIssuerCredential = 'credential-issuer/credential';
+    case CredentialIssuerNonce = 'credential-issuer/nonce';
 
     /*****************************************************************************************************************
      * SD-JWT-based Verifiable Credentials (SD-JWT VC)

src/Controllers/VerifiableCredentials/CredentialIssuerConfigurationController.php

@@ -72,7 +72,7 @@ public function configuration(): Response
             ClaimsEnum::CredentialEndpoint->value => $this->routes->urlCredentialIssuerCredential(),
 
             // OPTIONAL
-            // nonce_endpoint
+            ClaimsEnum::NonceEndpoint->value => $this->routes->urlCredentialIssuerNonce(),
 
             // OPTIONAL
             // deferred_credential_endpoint

src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php

@@ -15,6 +15,7 @@
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Server\ResourceServer;
 use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\Module\oidc\Services\NonceService;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 use SimpleSAML\Module\oidc\Utils\Routes;
 use SimpleSAML\OpenID\Codebooks\AtContextsEnum;
@@ -53,6 +54,7 @@ public function __construct(
         protected readonly UserRepository $userRepository,
         protected readonly Did $did,
         protected readonly IssuerStateRepository $issuerStateRepository,
+        protected readonly NonceService $nonceService,
     ) {
         if (!$this->moduleConfig->getVciEnabled()) {
             $this->loggerService->warning('Verifiable Credential capabilities not enabled.');
@@ -447,7 +449,28 @@ public function credential(Request $request): Response
                     $proof->verifyWithKey($jwk);
 
                     $this->loggerService->debug('Proof verified successfully using did:key ' . $didKey);
-                    // Set it as a subject identifier (bind it).
+
+                // Verify nonce
+                    $nonce = $proof->getNonce();
+                    if ($nonce === null) {
+                        return $this->routes->newJsonErrorResponse(
+                            'invalid_proof',
+                            'Proof MUST contain a c_nonce.',
+                        );
+                    }
+
+                    if (!$this->nonceService->validateNonce($nonce)) {
+                        return $this->routes->newJsonResponse(
+                            [
+                            'error' => 'invalid_nonce',
+                            'error_description' => 'c_nonce is invalid or expired.',
+                            'c_nonce' => $this->nonceService->generateNonce(),
+                            ],
+                            400,
+                        );
+                    }
+
+                // Set it as a subject identifier (bind it).
                     $sub = $didKey;
                 } else {
                     $this->loggerService->warning(

src/Controllers/VerifiableCredentials/NonceController.php

@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Controllers\VerifiableCredentials;
+
+use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\Module\oidc\Services\NonceService;
+use SimpleSAML\Module\oidc\Utils\Routes;
+use Symfony\Component\HttpFoundation\Response;
+
+class NonceController
+{
+    public function __construct(
+        protected readonly NonceService $nonceService,
+        protected readonly Routes $routes,
+        protected readonly LoggerService $loggerService,
+    ) {
+    }
+
+    /**
+     * @throws \Exception
+     */
+    public function nonce(): Response
+    {
+        $this->loggerService->debug('NonceController::nonce');
+
+        $nonce = $this->nonceService->generateNonce();
+
+        return $this->routes->newJsonResponse(
+            ['c_nonce' => $nonce],
+            200,
+            ['Cache-Control' => 'no-store'],
+        );
+    }
+}

src/Services/Container.php

@@ -101,6 +101,7 @@
 use SimpleSAML\Module\oidc\Server\ResponseTypes\TokenResponse;
 use SimpleSAML\Module\oidc\Server\TokenIssuers\RefreshTokenIssuer;
 use SimpleSAML\Module\oidc\Server\Validators\BearerTokenValidator;
+use SimpleSAML\Module\oidc\Services\NonceService;
 use SimpleSAML\Module\oidc\Stores\Session\LogoutTicketStoreBuilder;
 use SimpleSAML\Module\oidc\Stores\Session\LogoutTicketStoreDb;
 use SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver;
@@ -583,6 +584,9 @@ public function __construct()
 
         $errorResponder = new ErrorResponder($psrHttpBridge);
         $this->services[ErrorResponder::class] = $errorResponder;
+
+        $nonceService = new NonceService($jws, $moduleConfig, $loggerService);
+        $this->services[NonceService::class] = $nonceService;
     }
 
     /**

src/Services/NonceService.php

@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Services;
+
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Jws;
+
+class NonceService
+{
+    public function __construct(
+        protected readonly Jws $jws,
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly LoggerService $loggerService,
+    ) {
+    }
+
+    /**
+     * @throws \Exception
+     */
+    public function generateNonce(): string
+    {
+        $signatureKeyPair = $this->moduleConfig->getVciSignatureKeyPairBag()->getFirstOrFail();
+        $currentTimestamp = $this->jws->helpers()->dateTime()->getUtc()->getTimestamp();
+
+        // Nonce is valid for 5 minutes (300 seconds)
+        // TODO mivanci Consider making this configurable.
+        $expiryTimestamp = $currentTimestamp + 300;
+
+        $payload = [
+            ClaimsEnum::Iss->value => $this->moduleConfig->getIssuer(),
+            ClaimsEnum::Iat->value => $currentTimestamp,
+            ClaimsEnum::Exp->value => $expiryTimestamp,
+            'nonce_val' => bin2hex(random_bytes(16)),
+        ];
+
+        $header = [
+            ClaimsEnum::Kid->value => $signatureKeyPair->getKeyPair()->getKeyId(),
+        ];
+
+        return $this->jws->parsedJwsFactory()->fromData(
+            $signatureKeyPair->getKeyPair()->getPrivateKey(),
+            $signatureKeyPair->getSignatureAlgorithm(),
+            $payload,
+            $header,
+        )->getToken();
+    }
+
+    public function validateNonce(string $nonce): bool
+    {
+        try {
+            $parsedJws = $this->jws->parsedJwsFactory()->fromToken($nonce);
+
+            // Verify signature
+            $signatureKeyPair = $this->moduleConfig->getVciSignatureKeyPairBag()->getFirstOrFail();
+            $parsedJws->verifyWithKey($signatureKeyPair->getKeyPair()->getPublicKey()->jwk()->all());
+
+            // Verify issuer
+            if ($parsedJws->getIssuer() !== $this->moduleConfig->getIssuer()) {
+                $this->loggerService->warning('Nonce validation failed: invalid issuer.');
+                return false;
+            }
+
+            // Verify expiration
+            $currentTimestamp = $this->jws->helpers()->dateTime()->getUtc()->getTimestamp();
+            if ($parsedJws->getExpirationTime() < $currentTimestamp) {
+                $this->loggerService->warning('Nonce validation failed: expired.');
+                return false;
+            }
+
+            return true;
+        } catch (\Exception $e) {
+            $this->loggerService->warning('Nonce validation failed: ' . $e->getMessage());
+            return false;
+        }
+    }
+}

src/Utils/Routes.php

@@ -227,6 +227,11 @@ public function urlCredentialIssuerCredential(array $parameters = []): string
         return $this->getModuleUrl(RoutesEnum::CredentialIssuerCredential->value, $parameters);
     }
 
+    public function urlCredentialIssuerNonce(array $parameters = []): string
+    {
+        return $this->getModuleUrl(RoutesEnum::CredentialIssuerNonce->value, $parameters);
+    }
+
     /*****************************************************************************************************************
      * SD-JWT-based Verifiable Credentials (SD-JWT VC)
      ****************************************************************************************************************/

tests/unit/src/Controllers/VerifiableCredentials/NonceControllerTest.php

@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Module\oidc\unit\Controllers\VerifiableCredentials;
+
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use SimpleSAML\Module\oidc\Controllers\VerifiableCredentials\NonceController;
+use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\Module\oidc\Services\NonceService;
+use SimpleSAML\Module\oidc\Utils\Routes;
+use Symfony\Component\HttpFoundation\JsonResponse;
+
+#[CoversClass(NonceController::class)]
+class NonceControllerTest extends TestCase
+{
+    protected MockObject $nonceServiceMock;
+    protected MockObject $routesMock;
+    protected MockObject $loggerServiceMock;
+
+    public function setUp(): void
+    {
+        $this->nonceServiceMock = $this->createMock(NonceService::class);
+        $this->routesMock = $this->createMock(Routes::class);
+        $this->loggerServiceMock = $this->createMock(LoggerService::class);
+    }
+
+    /**
+     * @throws \Exception
+     */
+    public function testNonce(): void
+    {
+        $this->nonceServiceMock->expects($this->once())
+            ->method('generateNonce')
+            ->willReturn('mocked_nonce');
+
+        $responseMock = $this->createMock(JsonResponse::class);
+        $this->routesMock->expects($this->once())
+            ->method('newJsonResponse')
+            ->with(['c_nonce' => 'mocked_nonce'], 200, ['Cache-Control' => 'no-store'])
+            ->willReturn($responseMock);
+
+        $sut = new NonceController($this->nonceServiceMock, $this->routesMock, $this->loggerServiceMock);
+        $response = $sut->nonce();
+
+        $this->assertSame($responseMock, $response);
+    }
+}