ruby-cli/generate-key-proof.rb at main · javereec/ruby-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
#!/usr/bin/env ruby
#
# INSTALL
# -------
#
#   chmod +x generate-key-proof.rb
#
# USAGE
# -----
#
#   generate-key-proof.rb
#     --client-id={CLIENT_ID}                  # -c {CLIENT_ID}
#     --credential-issuer={CREDENTIAL_ISSUER}  # -i {CREDENTIAL_ISSUER}
#     --did={DID_JWK_URL}                      # -d {DID_JWK_URL}
#     --key={PRIVATE_KEY_IN_JWK_FORMAT}        # -k {PRIVATE_KEY_IN_JWK_FORMAT}
#     --nonce={C_NONCE}                        # -n {C_NONCE}
#
# AUTHORS
# -------
#
#   Takahiko Kawasaki <taka@authlete.com>
#   Jan Vereecken <ciao@janvereecken.com>
#
# CHANGELOG
# -------
#   2024-10-04
#     - Make client_id optional
#     - Add DID option
#

require 'bundler/inline'

gemfile do
  source 'https://rubygems.org'
  gem 'json-jwt'
  gem 'optparse'
end

require 'securerandom'
require 'time'

#------------------------------------------------------------
# main
#------------------------------------------------------------
def main(args)
  # Process the command line options.
  options = Options.process(args)

  # Prepare the payload of the key proof.
  payload = build_payload(options)

  # Generate a JWS by signing with the key.
  proof = sign(payload, options.key, options.did)

  # Write the key proof to the standard output.
  puts proof
end


#------------------------------------------------------------
# Prepare the payload of the key proof.
#------------------------------------------------------------
def build_payload(options)
  # The current time in seconds for time-related claims
  now = Time.now.to_i

  # Payload of a key proof
  payload = {
    aud:   options.credential_issuer,
    iat:   now,
    nonce: options.nonce
  }

  # Optional client_id attribute
  payload[:iss] = options.client_id if options.client_id

  payload
end


#------------------------------------------------------------
# Generate a JWS by signing with the key.
#------------------------------------------------------------
def sign(payload, jwk, did)
  # Prepare a JWT with the header and the payload.
  jwt = JSON::JWT.new(payload)

  # Set up some header parameters.
  jwt.typ = 'openid4vci-proof+jwt'

  if did
    jwt.kid = did
  else
    jwt.jwk = jwk.normalize  # to a public key
  end

  # Sign the JWT with the key and convert it to JWS.
  jwt.sign(jwk).to_s
end


#------------------------------------------------------------
# Command line options
#------------------------------------------------------------
class Options < OptionParser
  DESC_CLIENT_ID         = "The identifier of the client application (wallet)."
  DESC_CREDENTIAL_ISSUER = "The identifier of the credential issuer."
  DESC_DID               = "The DID:JWK to be used as the 'kid' in the JOSE header."
  DESC_KEY               = "A file containing a private key in the JWK format."
  DESC_NONCE             = "The 'c_nonce' value that has been issued from the token endpoint or the credential endpoint."

  attr_reader :client_id, :credential_issuer, :did, :key, :nonce

  def initialize
    super

    @client_id         = nil
    @credential_issuer = nil
    @did               = nil
    @key               = nil
    @nonce             = nil

    self.on('-c CLIENT_ID', '--client-id=CLIENT_ID', DESC_CLIENT_ID) do |client_id|
      @client_id = client_id
    end

    self.on('-i CREDENTIAL_ISSUER', '--credential-issuer=CREDENTIAL_ISSUER', DESC_CREDENTIAL_ISSUER) do |issuer|
      @credential_issuer = issuer
    end

    self.on('-d DID', '--did=DID', DESC_DID) do |did|
      @did = did
    end

    self.on('-k FILE', '--key=FILE', DESC_KEY) do |file|
      @key = self.read_jwk(file)
    end

    self.on('-n NONCE', '--nonce=NONCE', DESC_NONCE) do |nonce|
      @nonce = nonce
    end
  end

  private

  def read_jwk(file)
    json = File.read(file)
    hash = JSON.parse(json, {symbolize_names: true})
    JSON::JWK.new(hash)
  end

  def error_if_missing(value, option)
    if value.nil?
      raise OptionParser::ParseError.new "'#{option}' is missing."
    end
  end

  public

  def verify
    error_if_missing(@credential_issuer, '--credential-issuer=CREDENTIAL_ISSUER')
    error_if_missing(@key,               '--key=FILE')
    error_if_missing(@nonce,             '--nonce=NONCE')
  end

  def self.process(args)
    options = Options.new
    options.parse(args)
    options.verify()

    return options
  end
end


#------------------------------------------------------------
# Extension of the json-jwt library
#------------------------------------------------------------
module JSON
  class JWT
    # Override the 'sign' method not to include 'kid'.
    def sign(private_key_or_secret, algorithm = :autodetect)
      jws = JWS.new self
      jws.alg = algorithm
      jws.sign! private_key_or_secret
    end
  end
end


#------------------------------------------------------------
# Entry Point
#------------------------------------------------------------
main(ARGV)