vci: add key attestation metadata

Add key attestation metadata as described in
openid/OpenID4VCI#389, at commit
openid/OpenID4VCI@7130e4f.

As an aside, also add the optional nonce endpoint to the issuer metadata
which has been added recently.
Fix building a bunch of tests (but not all).

oid4vc-core/src/test_utils.rs

@@ -44,7 +44,7 @@ impl Sign for TestSubject {
     fn external_signer(&self) -> Option<Arc<dyn ExternalSign>> {
         None
     }
-    fn jwt_header(&self) -> jsonwebtoken::Header {
+    async fn jwt_header(&self) -> jsonwebtoken::Header {
         todo!{}
     }
 }

oid4vc-manager/src/managers/credential_issuer.rs

@@ -32,6 +32,7 @@ impl<S: Storage<CFC>, CFC: CredentialFormatCollection> CredentialIssuerManager<S
                     credential_issuer: issuer_url.clone(),
                     authorization_servers: vec![],
                     credential_endpoint: issuer_url.join("/credential")?,
+                    nonce_endpoint: None,
                     batch_credential_endpoint: Some(issuer_url.join("/batch_credential")?),
                     token_endpoint: None,
                     deferred_credential_endpoint: None,

oid4vci/src/credential_issuer/credential_configurations_supported.rs

@@ -112,7 +112,8 @@ mod tests {
                         proof_types_supported: vec![(
                             ProofType::Jwt,
                             KeyProofMetadata {
-                                proof_signing_alg_values_supported: vec!["ES256".to_string()]
+                                proof_signing_alg_values_supported: vec!["ES256".to_string()],
+                                key_attestations_required: None,
                             }
                         )]
                         .into_iter()

oid4vci/src/credential_issuer/credential_issuer_metadata.rs

@@ -30,6 +30,7 @@ where
     // TODO: Temporary solution
     #[derivative(Default(value = "Url::parse(\"https://example.com\").unwrap()"))]
     pub credential_endpoint: Url,
+    pub nonce_endpoint: Option<Url>,
     //TODO: Not RFC but if only preauth certain issuer put it here
     pub token_endpoint: Option<Url>,
     pub batch_credential_endpoint: Option<Url>,
@@ -76,6 +77,8 @@ mod tests {
                 credential_issuer: "https://credential-issuer.example.com".parse().unwrap(),
                 authorization_servers: vec!["https://server.example.com".parse().unwrap()],
                 credential_endpoint: Url::parse("https://credential-issuer.example.com").unwrap(),
+                nonce_endpoint: None,
+                token_endpoint: None,
                 batch_credential_endpoint: Some(
                     "https://credential-issuer.example.com/batch_credential"
                         .parse()
@@ -153,7 +156,8 @@ mod tests {
                         proof_types_supported: vec![(
                             ProofType::Jwt,
                             KeyProofMetadata {
-                                proof_signing_alg_values_supported: vec!["ES256".to_string()]
+                                proof_signing_alg_values_supported: vec!["ES256".to_string()],
+                                key_attestations_required: None,
                             }
                         )]
                         .into_iter()

oid4vci/src/credential_request.rs

@@ -69,6 +69,7 @@ mod tests {
     use serde::de::DeserializeOwned;
     use serde_json::json;
     use std::{fs::File, path::Path};
+    use OneOrManyKeyProofs::{Proof, Proofs};
 
     fn json_example<T>(path: &str) -> T
     where

oid4vci/src/proof.rs

@@ -29,6 +29,15 @@ pub enum KeyProofsType {
 #[derive(Debug, Serialize, Deserialize, Clone, PartialEq, Eq)]
 pub struct KeyProofMetadata {
     pub proof_signing_alg_values_supported: Vec<String>,
+    pub key_attestations_required: Option<KeyAttestationMetadata>,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone, PartialEq, Eq)]
+pub struct KeyAttestationMetadata {
+    #[serde(skip_serializing_if = "Vec::is_empty", default)]
+    pub key_storage: Vec<String>,
+    #[serde(skip_serializing_if = "Vec::is_empty", default)]
+    pub user_authentication: Vec<String>,
 }
 
 #[derive(Debug, Serialize, Deserialize, Clone, PartialEq, Eq, Hash)]

oid4vci/src/wallet/content_encryption.rs

@@ -133,7 +133,6 @@ pub fn base64_decode_bytes<T: AsRef<[u8]>>(bytes: &T) -> anyhow::Result<Vec<u8>>
 #[cfg(test)]
 mod tests {
     use hmac::Mac;
-    use oid4vc_core::jwt::base64_url_encode;
     use rsa::{rand_core::OsRng, traits::PublicKeyParts};
 
     use crate::wallet::content_encryption::{base64_encode_bytes, HmacSha256};
@@ -146,7 +145,7 @@ mod tests {
 
         let e = base64_encode_bytes(&exponent);
         let n = pub_key.n().to_bytes_be();
-        let n = base64_encode_bytes(&n);
+        let _n = base64_encode_bytes(&n);
         println!("{:?}", exponent);
         println!("{}", pub_key.e().to_string());
         println!("{}", e);

siopv2/src/test_utils.rs

@@ -44,7 +44,7 @@ impl Sign for TestSubject {
     fn external_signer(&self) -> Option<Arc<dyn ExternalSign>> {
         None
     }
-    fn jwt_header(&self) -> jsonwebtoken::Header {
+    async fn jwt_header(&self) -> jsonwebtoken::Header {
         todo!{}
     }
 }