requests.go 22.9 KB
Newer Older
1
package irma
2 3

import (
4
	"encoding/json"
5
	"fmt"
6
	"io/ioutil"
7 8 9
	"strconv"
	"time"

10
	"github.com/bwesterb/go-atum"
11
	"github.com/dgrijalva/jwt-go"
Sietse Ringers's avatar
Sietse Ringers committed
12
	"github.com/go-errors/errors"
13
	"github.com/privacybydesign/gabi"
14
	"github.com/privacybydesign/gabi/big"
15
	"github.com/privacybydesign/irmago/internal/fs"
Sietse Ringers's avatar
Sietse Ringers committed
16
)
17

18 19
// BaseRequest contains the context and nonce for an IRMA session.
type BaseRequest struct {
20 21
	Context *big.Int `json:"context,omitempty"`
	Nonce   *big.Int `json:"nonce,omitempty"`
22
	Type    Action   `json:"type"`
23

24 25 26
	Candidates [][][]*AttributeIdentifier `json:"-"`
	Choice     *DisclosureChoice          `json:"-"`
	Ids        *IrmaIdentifierSet         `json:"-"`
27

28
	Version *ProtocolVersion `json:"protocolVersion,omitempty"`
Sietse Ringers's avatar
Sietse Ringers committed
29 30
}

31 32
// An AttributeCon is only satisfied if all of its containing attribute requests are satisfied.
type AttributeCon []AttributeRequest
33

34 35
// An AttributeDisCon is satisfied if at least one of its containing AttributeCon is satisfied.
type AttributeDisCon []AttributeCon
36

37 38
// AttributeConDisCon is only satisfied if all of the containing AttributeDisCon are satisfied.
type AttributeConDisCon []AttributeDisCon
39

Sietse Ringers's avatar
Sietse Ringers committed
40
// A DisclosureRequest is a request to disclose certain attributes.
41
type DisclosureRequest struct {
42
	BaseRequest
43 44 45

	Disclose AttributeConDisCon       `json:"disclose"`
	Labels   map[int]TranslatedString `json:"labels"`
46 47
}

Sietse Ringers's avatar
Sietse Ringers committed
48
// A SignatureRequest is a a request to sign a message with certain attributes.
49
type SignatureRequest struct {
50
	*DisclosureRequest
51 52 53
	Message string `json:"message"`

	// Session state
54
	Timestamp *atum.Timestamp `json:"-"`
55 56
}

Sietse Ringers's avatar
Sietse Ringers committed
57 58
// An IssuanceRequest is a request to issue certain credentials,
// optionally also asking for certain attributes to be simultaneously disclosed.
59
type IssuanceRequest struct {
60 61
	*DisclosureRequest
	Credentials []*CredentialRequest `json:"credentials"`
Tomas's avatar
Tomas committed
62 63 64

	// Derived data
	CredentialInfoList        CredentialInfoList `json:",omitempty"`
65
	RemovalCredentialInfoList CredentialInfoList `json:",omitempty"`
66 67
}

Sietse Ringers's avatar
Sietse Ringers committed
68 69
// A CredentialRequest contains the attributes and metadata of a credential
// that will be issued in an IssuanceRequest.
70
type CredentialRequest struct {
71 72
	Validity         *Timestamp               `json:"validity,omitempty"`
	KeyCounter       int                      `json:"keyCounter,omitempty"`
73 74
	CredentialTypeID CredentialTypeIdentifier `json:"credential"`
	Attributes       map[string]string        `json:"attributes"`
Sietse Ringers's avatar
Sietse Ringers committed
75 76
}

77 78 79 80 81 82 83 84 85 86 87 88 89
// SessionRequest instances contain all information the irmaclient needs to perform an IRMA session.
type SessionRequest interface {
	Validator
	Base() *BaseRequest
	GetNonce() *big.Int
	Disclosure() *DisclosureRequest
	Identifiers() *IrmaIdentifierSet
	Action() Action
}

// Timestamp is a time.Time that marshals to Unix timestamps.
type Timestamp time.Time

Sietse Ringers's avatar
Sietse Ringers committed
90 91 92 93 94 95 96
// ServerJwt contains standard JWT fields.
type ServerJwt struct {
	Type       string    `json:"sub"`
	ServerName string    `json:"iss"`
	IssuedAt   Timestamp `json:"iat"`
}

97 98
// RequestorBaseRequest contains fields present in all RequestorRequest types
// with which the requestor configures an IRMA session.
99
type RequestorBaseRequest struct {
Sietse Ringers's avatar
Sietse Ringers committed
100 101 102
	ResultJwtValidity int    `json:"validity,omitempty"`    // Validity of session result JWT in seconds
	ClientTimeout     int    `json:"timeout,omitempty"`     // Wait this many seconds for the IRMA app to connect before the session times out
	CallbackUrl       string `json:"callbackUrl,omitempty"` // URL to post session result to
103 104
}

105 106
// RequestorRequest is the message with which requestors start an IRMA session. It contains a
// SessionRequest instance for the irmaclient along with extra fields in a RequestorBaseRequest.
107 108 109
type RequestorRequest interface {
	Validator
	SessionRequest() SessionRequest
110
	Base() RequestorBaseRequest
111 112
}

Sietse Ringers's avatar
Sietse Ringers committed
113 114
// A ServiceProviderRequest contains a disclosure request.
type ServiceProviderRequest struct {
115
	RequestorBaseRequest
Sietse Ringers's avatar
Sietse Ringers committed
116 117 118 119 120
	Request *DisclosureRequest `json:"request"`
}

// A SignatureRequestorRequest contains a signing request.
type SignatureRequestorRequest struct {
121
	RequestorBaseRequest
Sietse Ringers's avatar
Sietse Ringers committed
122 123 124 125 126
	Request *SignatureRequest `json:"request"`
}

// An IdentityProviderRequest contains an issuance request.
type IdentityProviderRequest struct {
127
	RequestorBaseRequest
Sietse Ringers's avatar
Sietse Ringers committed
128 129 130 131 132 133
	Request *IssuanceRequest `json:"request"`
}

// ServiceProviderJwt is a requestor JWT for a disclosure session.
type ServiceProviderJwt struct {
	ServerJwt
134
	Request *ServiceProviderRequest `json:"sprequest"`
Sietse Ringers's avatar
Sietse Ringers committed
135 136 137 138 139
}

// SignatureRequestorJwt is a requestor JWT for a signing session.
type SignatureRequestorJwt struct {
	ServerJwt
140
	Request *SignatureRequestorRequest `json:"absrequest"`
Sietse Ringers's avatar
Sietse Ringers committed
141 142 143 144 145
}

// IdentityProviderJwt is a requestor JWT for issuance session.
type IdentityProviderJwt struct {
	ServerJwt
146 147 148
	Request *IdentityProviderRequest `json:"iprequest"`
}

149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178
// A RequestorJwt contains an IRMA session object.
type RequestorJwt interface {
	Action() Action
	RequestorRequest() RequestorRequest
	SessionRequest() SessionRequest
	Requestor() string
	Valid() error
	Sign(jwt.SigningMethod, interface{}) (string, error)
}

// A DisclosureChoice contains the attributes chosen to be disclosed.
type DisclosureChoice struct {
	Attributes [][]*AttributeIdentifier
}

// An AttributeRequest asks for an instance of an attribute type, possibly requiring it to have
// a specified value, in a session request.
type AttributeRequest struct {
	Type  AttributeTypeIdentifier
	Value *string
}

var (
	bigZero = big.NewInt(0)
	bigOne  = big.NewInt(1)
)

func (b *BaseRequest) GetContext() *big.Int {
	if b.Context == nil {
		return bigOne
179
	}
180
	return b.Context
181 182
}

183 184 185
func (b *BaseRequest) GetNonce() *big.Int {
	if b.Nonce == nil {
		return bigZero
186
	}
187
	return b.Nonce
188 189
}

190 191 192 193 194 195
// CredentialTypes returns an array of all credential types occuring in this conjunction.
func (c AttributeCon) CredentialTypes() []CredentialTypeIdentifier {
	var result []CredentialTypeIdentifier
	tmp := map[CredentialTypeIdentifier]struct{}{}
	for _, attr := range c {
		tmp[attr.Type.CredentialTypeIdentifier()] = struct{}{}
196
	}
197 198 199 200
	for cred := range tmp {
		result = append(result, cred)
	}
	return result
201 202
}

203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221
func (c *AttributeCon) MarshalJSON() ([]byte, error) {
	var vals bool
	m := map[AttributeTypeIdentifier]*string{}
	var l []AttributeTypeIdentifier

	for _, attr := range *c {
		m[attr.Type] = attr.Value
		if attr.Value == nil {
			l = append(l, attr.Type)
		} else {
			vals = true
		}
	}

	if vals {
		return json.Marshal(m)
	} else {
		return json.Marshal(l)
	}
222 223
}

224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241
func (c *AttributeCon) UnmarshalJSON(bts []byte) error {
	var err error
	m := map[AttributeTypeIdentifier]*string{}
	if err = json.Unmarshal(bts, &m); err == nil {
		for id, val := range m {
			*c = append(*c, AttributeRequest{Type: id, Value: val})
		}
		return nil
	}

	var l []AttributeTypeIdentifier
	if err = json.Unmarshal(bts, &l); err == nil {
		for _, id := range l {
			*c = append(*c, AttributeRequest{Type: id})
		}
	}

	return err
242 243
}

244 245
func (ar *AttributeRequest) Satisfy(attr AttributeTypeIdentifier, val *string) bool {
	return ar.Type == attr && (ar.Value == nil || (val != nil && *ar.Value == *val))
Sietse Ringers's avatar
Sietse Ringers committed
246 247
}

248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265
func (c AttributeCon) Satisfy(proofs gabi.ProofList, indices []*DisclosedAttributeIndex, conf *Configuration) ([]*DisclosedAttribute, error) {
	if len(indices) < len(c) {
		return nil, nil
	}
	attrs := make([]*DisclosedAttribute, 0, len(c))

	for j := range c {
		index := indices[j]
		attr, val, err := extractAttribute(proofs, index, conf)
		if err != nil {
			return nil, err
		}
		if !c[j].Satisfy(attr.Identifier, val) {
			return nil, nil
		}
		attrs = append(attrs, attr)
	}
	return attrs, nil
266 267
}

268 269 270 271 272 273 274 275
func (dc AttributeDisCon) Satisfy(proofs gabi.ProofList, indices []*DisclosedAttributeIndex, conf *Configuration) ([]*DisclosedAttribute, error) {
	for _, con := range dc {
		attrs, err := con.Satisfy(proofs, indices, conf)
		if len(attrs) > 0 || err != nil {
			return attrs, err
		}
	}
	return nil, nil
276 277
}

278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298
func (cdc AttributeConDisCon) Satisfy(disclosure *Disclosure, conf *Configuration) (bool, [][]*DisclosedAttribute, error) {
	if len(disclosure.Indices) < len(cdc) {
		return false, nil, nil
	}
	list := make([][]*DisclosedAttribute, len(cdc))
	complete := true

	for i, discon := range cdc {
		attrs, err := discon.Satisfy(disclosure.Proofs, disclosure.Indices[i], conf)
		if err != nil {
			return false, nil, err
		}
		if len(attrs) > 0 {
			list[i] = attrs
		} else {
			complete = false
			list[i] = nil
		}
	}

	return complete, list, nil
299 300
}

301 302 303 304 305 306 307 308 309 310 311 312
func (cdc AttributeConDisCon) Iterate(f func(attr *AttributeRequest) error) error {
	var err error
	for _, discon := range cdc {
		for _, con := range discon {
			for _, attr := range con {
				if err = f(&attr); err != nil {
					return err
				}
			}
		}
	}
	return nil
313 314
}

315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387
func (dr *DisclosureRequest) AddSingle(attr AttributeTypeIdentifier, value *string, label TranslatedString) {
	dr.Disclose = append(dr.Disclose, AttributeDisCon{AttributeCon{{Type: attr, Value: value}}})
	dr.Labels[len(dr.Disclose)-1] = label
}

func NewDisclosureRequest(attrs ...AttributeTypeIdentifier) *DisclosureRequest {
	request := &DisclosureRequest{
		BaseRequest: BaseRequest{Type: ActionDisclosing},
		Labels:      map[int]TranslatedString{},
	}
	for _, attr := range attrs {
		request.AddSingle(attr, nil, nil)
	}
	return request
}

func NewSignatureRequest(message string, attrs ...AttributeTypeIdentifier) *SignatureRequest {
	dr := NewDisclosureRequest(attrs...)
	dr.Type = ActionSigning
	return &SignatureRequest{
		DisclosureRequest: dr,
		Message:           message,
	}
}

func NewIssuanceRequest(creds []*CredentialRequest, attrs ...AttributeTypeIdentifier) *IssuanceRequest {
	dr := NewDisclosureRequest(attrs...)
	dr.Type = ActionIssuing
	return &IssuanceRequest{
		DisclosureRequest: dr,
		Credentials:       creds,
	}
}

func (dr *DisclosureRequest) Disclosure() *DisclosureRequest {
	return dr
}

func (dr *DisclosureRequest) Identifiers() *IrmaIdentifierSet {
	if dr.Ids == nil {
		dr.Ids = &IrmaIdentifierSet{
			SchemeManagers:  map[SchemeManagerIdentifier]struct{}{},
			Issuers:         map[IssuerIdentifier]struct{}{},
			CredentialTypes: map[CredentialTypeIdentifier]struct{}{},
			PublicKeys:      map[IssuerIdentifier][]int{},
		}

		_ = dr.Disclose.Iterate(func(a *AttributeRequest) error {
			attr := a.Type
			dr.Ids.SchemeManagers[attr.CredentialTypeIdentifier().IssuerIdentifier().SchemeManagerIdentifier()] = struct{}{}
			dr.Ids.Issuers[attr.CredentialTypeIdentifier().IssuerIdentifier()] = struct{}{}
			dr.Ids.CredentialTypes[attr.CredentialTypeIdentifier()] = struct{}{}
			return nil
		})
	}
	return dr.Ids
}

func (dr *DisclosureRequest) Base() *BaseRequest {
	return &dr.BaseRequest
}

func (dr *DisclosureRequest) Action() Action { return ActionDisclosing }

func (dr *DisclosureRequest) Validate() error {
	if dr.Type != ActionDisclosing {
		return errors.New("Not a disclosure request")
	}
	if len(dr.Disclose) == 0 {
		return errors.New("Disclosure request had no attributes")
	}
	return nil
}
Sietse Ringers's avatar
Sietse Ringers committed
388

389 390
func (cr *CredentialRequest) Info(conf *Configuration, metadataVersion byte) (*CredentialInfo, error) {
	list, err := cr.AttributeList(conf, metadataVersion)
391 392 393
	if err != nil {
		return nil, err
	}
394
	return NewCredentialInfo(list.Ints, conf), nil
395 396
}

397 398 399 400
// Validate checks that this credential request is consistent with the specified Configuration:
// the credential type is known, all required attributes are present and no unknown attributes
// are given.
func (cr *CredentialRequest) Validate(conf *Configuration) error {
401
	credtype := conf.CredentialTypes[cr.CredentialTypeID]
Sietse Ringers's avatar
Sietse Ringers committed
402
	if credtype == nil {
403
		return errors.New("Credential request of unknown credential type")
Sietse Ringers's avatar
Sietse Ringers committed
404
	}
405 406 407 408 409

	// Check that there are no attributes in the credential request that aren't
	// in the credential descriptor.
	for crName := range cr.Attributes {
		found := false
410
		for _, ad := range credtype.AttributeTypes {
411 412 413 414 415 416
			if ad.ID == crName {
				found = true
				break
			}
		}
		if !found {
417
			return errors.New("Credential request contaiins unknown attribute")
418
		}
Sietse Ringers's avatar
Sietse Ringers committed
419 420
	}

421
	for _, attrtype := range credtype.AttributeTypes {
422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445
		if _, present := cr.Attributes[attrtype.ID]; !present && attrtype.Optional != "true" {
			return errors.New("Required attribute not present in credential request")
		}
	}

	return nil
}

// AttributeList returns the list of attributes from this credential request.
func (cr *CredentialRequest) AttributeList(conf *Configuration, metadataVersion byte) (*AttributeList, error) {
	if err := cr.Validate(conf); err != nil {
		return nil, err
	}

	// Compute metadata attribute
	meta := NewMetadataAttribute(metadataVersion)
	meta.setKeyCounter(cr.KeyCounter)
	meta.setCredentialTypeIdentifier(cr.CredentialTypeID.String())
	meta.setSigningDate()
	if err := meta.setExpiryDate(cr.Validity); err != nil {
		return nil, err
	}

	// Compute other attributes
446
	credtype := conf.CredentialTypes[cr.CredentialTypeID]
447
	attrs := make([]*big.Int, len(credtype.AttributeTypes)+1)
Sietse Ringers's avatar
Sietse Ringers committed
448
	attrs[0] = meta.Int
449
	for i, attrtype := range credtype.AttributeTypes {
450
		attrs[i+1] = new(big.Int)
Sietse Ringers's avatar
Sietse Ringers committed
451
		if str, present := cr.Attributes[attrtype.ID]; present {
452
			// Set attribute to str << 1 + 1
453
			attrs[i+1].SetBytes([]byte(str))
454 455 456 457
			if meta.Version() >= 0x03 {
				attrs[i+1].Lsh(attrs[i+1], 1)             // attr <<= 1
				attrs[i+1].Add(attrs[i+1], big.NewInt(1)) // attr += 1
			}
Sietse Ringers's avatar
Sietse Ringers committed
458 459 460
		}
	}

461
	return NewAttributeListFromInts(attrs, conf), nil
Sietse Ringers's avatar
Sietse Ringers committed
462 463
}

Sietse Ringers's avatar
Sietse Ringers committed
464
func (ir *IssuanceRequest) Identifiers() *IrmaIdentifierSet {
465 466
	if ir.Ids == nil {
		ir.Ids = &IrmaIdentifierSet{
467 468 469 470
			SchemeManagers:  map[SchemeManagerIdentifier]struct{}{},
			Issuers:         map[IssuerIdentifier]struct{}{},
			CredentialTypes: map[CredentialTypeIdentifier]struct{}{},
			PublicKeys:      map[IssuerIdentifier][]int{},
Sietse Ringers's avatar
Sietse Ringers committed
471 472
		}

Sietse Ringers's avatar
Sietse Ringers committed
473
		for _, credreq := range ir.Credentials {
Sietse Ringers's avatar
Sietse Ringers committed
474
			issuer := credreq.CredentialTypeID.IssuerIdentifier()
475 476
			ir.Ids.SchemeManagers[issuer.SchemeManagerIdentifier()] = struct{}{}
			ir.Ids.Issuers[issuer] = struct{}{}
477
			ir.Ids.CredentialTypes[credreq.CredentialTypeID] = struct{}{}
478 479
			if ir.Ids.PublicKeys[issuer] == nil {
				ir.Ids.PublicKeys[issuer] = []int{}
480
			}
481
			ir.Ids.PublicKeys[issuer] = append(ir.Ids.PublicKeys[issuer], credreq.KeyCounter)
482 483
		}

484
		ir.Ids.join(ir.DisclosureRequest.Identifiers())
Sietse Ringers's avatar
Sietse Ringers committed
485
	}
486
	return ir.Ids
Sietse Ringers's avatar
Sietse Ringers committed
487 488
}

Tomas's avatar
Tomas committed
489 490 491 492 493 494 495 496 497 498 499 500 501
func (ir *IssuanceRequest) GetCredentialInfoList(conf *Configuration, version *ProtocolVersion) (CredentialInfoList, error) {
	if ir.CredentialInfoList == nil {
		for _, credreq := range ir.Credentials {
			info, err := credreq.Info(conf, GetMetadataVersion(version))
			if err != nil {
				return nil, err
			}
			ir.CredentialInfoList = append(ir.CredentialInfoList, info)
		}
	}
	return ir.CredentialInfoList, nil
}

502 503
func (ir *IssuanceRequest) Action() Action { return ActionIssuing }

504 505 506 507 508 509 510 511 512 513
func (ir *IssuanceRequest) Validate() error {
	if ir.Type != ActionIssuing {
		return errors.New("Not an issuance request")
	}
	if len(ir.Credentials) == 0 {
		return errors.New("Empty issuance request")
	}
	return nil
}

Sietse Ringers's avatar
Sietse Ringers committed
514 515
// GetNonce returns the nonce of this signature session
// (with the message already hashed into it).
516
func (sr *SignatureRequest) GetNonce() *big.Int {
517
	return ASN1ConvertSignatureNonce(sr.Message, sr.BaseRequest.GetNonce(), sr.Timestamp)
518 519
}

520
func (sr *SignatureRequest) SignatureFromMessage(message interface{}) (*SignedMessage, error) {
521
	signature, ok := message.(*Disclosure)
522 523 524 525 526

	if !ok {
		return nil, errors.Errorf("Type assertion failed")
	}

527 528 529 530
	nonce := sr.Nonce
	if nonce == nil {
		nonce = bigZero
	}
531
	return &SignedMessage{
532
		Signature: signature.Proofs,
533
		Indices:   signature.Indices,
534 535
		Nonce:     nonce,
		Context:   sr.GetContext(),
536
		Message:   sr.Message,
537
		Timestamp: sr.Timestamp,
538 539 540
	}, nil
}

541 542
func (sr *SignatureRequest) Action() Action { return ActionSigning }

543 544 545 546 547 548 549
func (sr *SignatureRequest) Validate() error {
	if sr.Type != ActionSigning {
		return errors.New("Not a signature request")
	}
	if sr.Message == "" {
		return errors.New("Signature request had empty message")
	}
550 551
	if len(sr.Disclose) == 0 {
		return errors.New("Signature request had no attributes")
552 553 554 555
	}
	return nil
}

556 557 558 559 560
// Check if Timestamp is before other Timestamp. Used for checking expiry of attributes
func (t Timestamp) Before(u Timestamp) bool {
	return time.Time(t).Before(time.Time(u))
}

561 562 563 564
func (t Timestamp) After(u Timestamp) bool {
	return time.Time(t).After(time.Time(u))
}

565 566
// MarshalJSON marshals a timestamp.
func (t *Timestamp) MarshalJSON() ([]byte, error) {
567
	return []byte(t.String()), nil
568 569 570 571 572 573 574 575 576 577 578
}

// UnmarshalJSON unmarshals a timestamp.
func (t *Timestamp) UnmarshalJSON(b []byte) error {
	ts, err := strconv.Atoi(string(b))
	if err != nil {
		return err
	}
	*t = Timestamp(time.Unix(int64(ts), 0))
	return nil
}
Sietse Ringers's avatar
Sietse Ringers committed
579

580 581 582 583 584
// Timestamp implements Stringer.
func (t *Timestamp) String() string {
	return fmt.Sprint(time.Time(*t).Unix())
}

585 586 587 588 589 590 591 592
func readTimestamp(path string) (*Timestamp, bool, error) {
	exists, err := fs.PathExists(path)
	if err != nil {
		return nil, false, err
	}
	if !exists {
		return nil, false, nil
	}
593 594
	bts, err := ioutil.ReadFile(path)
	if err != nil {
595
		return nil, true, errors.New("Could not read scheme manager timestamp")
596
	}
597 598
	ts, err := parseTimestamp(bts)
	return ts, true, err
599 600
}

601
func parseTimestamp(bts []byte) (*Timestamp, error) {
602 603 604 605 606 607
	// Remove final character \n if present
	if bts[len(bts)-1] == '\n' {
		bts = bts[:len(bts)-1]
	}
	// convert from byte slice to string; parse as int
	str, err := strconv.ParseInt(string(bts), 10, 64)
608
	if err != nil {
609
		return nil, err
610
	}
611 612
	ts := Timestamp(time.Unix(str, 0))
	return &ts, nil
613 614
}

Sietse Ringers's avatar
Sietse Ringers committed
615 616 617 618 619 620 621 622
// NewServiceProviderJwt returns a new ServiceProviderJwt.
func NewServiceProviderJwt(servername string, dr *DisclosureRequest) *ServiceProviderJwt {
	return &ServiceProviderJwt{
		ServerJwt: ServerJwt{
			ServerName: servername,
			IssuedAt:   Timestamp(time.Now()),
			Type:       "verification_request",
		},
623 624 625 626
		Request: &ServiceProviderRequest{
			RequestorBaseRequest: RequestorBaseRequest{ResultJwtValidity: 120},
			Request:              dr,
		},
Sietse Ringers's avatar
Sietse Ringers committed
627 628 629 630 631 632 633 634 635 636 637
	}
}

// NewSignatureRequestorJwt returns a new SignatureRequestorJwt.
func NewSignatureRequestorJwt(servername string, sr *SignatureRequest) *SignatureRequestorJwt {
	return &SignatureRequestorJwt{
		ServerJwt: ServerJwt{
			ServerName: servername,
			IssuedAt:   Timestamp(time.Now()),
			Type:       "signature_request",
		},
638 639 640 641
		Request: &SignatureRequestorRequest{
			RequestorBaseRequest: RequestorBaseRequest{ResultJwtValidity: 120},
			Request:              sr,
		},
Sietse Ringers's avatar
Sietse Ringers committed
642 643 644 645 646 647 648 649 650 651 652
	}
}

// NewIdentityProviderJwt returns a new IdentityProviderJwt.
func NewIdentityProviderJwt(servername string, ir *IssuanceRequest) *IdentityProviderJwt {
	return &IdentityProviderJwt{
		ServerJwt: ServerJwt{
			ServerName: servername,
			IssuedAt:   Timestamp(time.Now()),
			Type:       "issue_request",
		},
653 654 655 656
		Request: &IdentityProviderRequest{
			RequestorBaseRequest: RequestorBaseRequest{ResultJwtValidity: 120},
			Request:              ir,
		},
Sietse Ringers's avatar
Sietse Ringers committed
657 658 659
	}
}

660 661 662 663 664 665 666
func (jwt *ServerJwt) Requestor() string { return jwt.ServerName }

func (r *ServiceProviderRequest) Validate() error {
	if r.Request == nil {
		return errors.New("Not a ServiceProviderRequest")
	}
	return r.Request.Validate()
Sietse Ringers's avatar
Sietse Ringers committed
667 668
}

669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705
func (r *SignatureRequestorRequest) Validate() error {
	if r.Request == nil {
		return errors.New("Not a SignatureRequestorRequest")
	}
	return r.Request.Validate()
}

func (r *IdentityProviderRequest) Validate() error {
	if r.Request == nil {
		return errors.New("Not a IdentityProviderRequest")
	}
	return r.Request.Validate()
}

func (r *ServiceProviderRequest) SessionRequest() SessionRequest {
	return r.Request
}

func (r *SignatureRequestorRequest) SessionRequest() SessionRequest {
	return r.Request
}

func (r *IdentityProviderRequest) SessionRequest() SessionRequest {
	return r.Request
}

func (r *ServiceProviderRequest) Base() RequestorBaseRequest {
	return r.RequestorBaseRequest
}

func (r *SignatureRequestorRequest) Base() RequestorBaseRequest {
	return r.RequestorBaseRequest
}

func (r *IdentityProviderRequest) Base() RequestorBaseRequest {
	return r.RequestorBaseRequest
}
706

707
// SessionRequest returns an IRMA session object.
708
func (claims *ServiceProviderJwt) SessionRequest() SessionRequest { return claims.Request.Request }
Sietse Ringers's avatar
Sietse Ringers committed
709

710
// SessionRequest returns an IRMA session object.
711
func (claims *SignatureRequestorJwt) SessionRequest() SessionRequest { return claims.Request.Request }
Sietse Ringers's avatar
Sietse Ringers committed
712

713
// SessionRequest returns an IRMA session object.
714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735
func (claims *IdentityProviderJwt) SessionRequest() SessionRequest { return claims.Request.Request }

func (claims *ServiceProviderJwt) Sign(method jwt.SigningMethod, key interface{}) (string, error) {
	return jwt.NewWithClaims(method, claims).SignedString(key)
}

func (claims *SignatureRequestorJwt) Sign(method jwt.SigningMethod, key interface{}) (string, error) {
	return jwt.NewWithClaims(method, claims).SignedString(key)
}

func (claims *IdentityProviderJwt) Sign(method jwt.SigningMethod, key interface{}) (string, error) {
	return jwt.NewWithClaims(method, claims).SignedString(key)
}

func (claims *ServiceProviderJwt) RequestorRequest() RequestorRequest { return claims.Request }

func (claims *SignatureRequestorJwt) RequestorRequest() RequestorRequest { return claims.Request }

func (claims *IdentityProviderJwt) RequestorRequest() RequestorRequest { return claims.Request }

func (claims *ServiceProviderJwt) Valid() error {
	if claims.Type != "verification_request" {
736 737 738

		return errors.New("Verification jwt has invalid subject")
	}
739
	if time.Time(claims.IssuedAt).After(time.Now()) {
740 741 742 743 744
		return errors.New("Verification jwt not yet valid")
	}
	return nil
}

745 746
func (claims *SignatureRequestorJwt) Valid() error {
	if claims.Type != "signature_request" {
747 748
		return errors.New("Signature jwt has invalid subject")
	}
749
	if time.Time(claims.IssuedAt).After(time.Now()) {
750 751 752 753 754
		return errors.New("Signature jwt not yet valid")
	}
	return nil
}

755 756
func (claims *IdentityProviderJwt) Valid() error {
	if claims.Type != "issue_request" {
757 758
		return errors.New("Issuance jwt has invalid subject")
	}
759
	if time.Time(claims.IssuedAt).After(time.Now()) {
760 761 762 763 764
		return errors.New("Issuance jwt not yet valid")
	}
	return nil
}

765 766 767
func (claims *ServiceProviderJwt) Action() Action { return ActionDisclosing }

func (claims *SignatureRequestorJwt) Action() Action { return ActionSigning }
768

769
func (claims *IdentityProviderJwt) Action() Action { return ActionIssuing }
770

771
func SignSessionRequest(request SessionRequest, alg jwt.SigningMethod, key interface{}, name string) (string, error) {
772 773 774 775 776 777 778 779 780 781 782
	var jwtcontents RequestorJwt
	switch r := request.(type) {
	case *IssuanceRequest:
		jwtcontents = NewIdentityProviderJwt(name, r)
	case *DisclosureRequest:
		jwtcontents = NewServiceProviderJwt(name, r)
	case *SignatureRequest:
		jwtcontents = NewSignatureRequestorJwt(name, r)
	}
	return jwtcontents.Sign(alg, key)
}
783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798

func SignRequestorRequest(request RequestorRequest, alg jwt.SigningMethod, key interface{}, name string) (string, error) {
	var jwtcontents RequestorJwt
	switch r := request.(type) {
	case *IdentityProviderRequest:
		jwtcontents = NewIdentityProviderJwt(name, nil)
		jwtcontents.(*IdentityProviderJwt).Request = r
	case *ServiceProviderRequest:
		jwtcontents = NewServiceProviderJwt(name, nil)
		jwtcontents.(*ServiceProviderJwt).Request = r
	case *SignatureRequestorRequest:
		jwtcontents = NewSignatureRequestorJwt(name, nil)
		jwtcontents.(*SignatureRequestorJwt).Request = r
	}
	return jwtcontents.Sign(alg, key)
}
799 800 801 802 803

// NewAttributeRequest requests the specified attribute.
func NewAttributeRequest(attr string) AttributeRequest {
	return AttributeRequest{Type: NewAttributeTypeIdentifier(attr)}
}