fix: Add expiration time for cloud-agent (#1132)

Signed-off-by: mineme0110 <shailesh.patil@iohk.io>

cloud-agent/service/server/src/main/resources/application.conf

@@ -28,6 +28,7 @@ pollux {
     awaitConnectionThreads = 4
     awaitConnectionThreads = ${?POLLUX_DB_AWAIT_CONNECTION_THREADS}
   }
+  credentialSdJwtExpirationTime = 30 days // Default exp claim duration in days sd jwt token if not provided in credential offer
   statusListRegistry {
     # defaults to the exposed AGENT_HTTP_PORT port
     publicEndpointUrl = "http://localhost:"${agent.httpEndpoint.http.port}

cloud-agent/service/server/src/main/scala/org/hyperledger/identus/agent/server/config/AppConfig.scala

@@ -68,6 +68,7 @@ object ValidatedVaultConfig {
 
 final case class PolluxConfig(
     database: DatabaseConfig,
+    credentialSdJwtExpirationTime: Duration,
     statusListRegistry: StatusListRegistryConfig,
     issueBgJobRecordsLimit: Int,
     issueBgJobRecurrenceDelay: Duration,

cloud-agent/service/server/src/main/scala/org/hyperledger/identus/agent/server/jobs/IssueBackgroundJobs.scala

@@ -495,7 +495,7 @@ object IssueBackgroundJobs extends BackgroundJobsHelper {
               credentialService <- ZIO.service[CredentialService]
               config <- ZIO.service[AppConfig]
               _ <- credentialService
-                .generateSDJWTCredential(id)
+                .generateSDJWTCredential(id, config.pollux.credentialSdJwtExpirationTime)
                 .provideSomeLayer(ZLayer.succeed(walletAccessContext))
             } yield ()).mapError(e => (walletAccessContext, e))
           } yield result

pollux/core/src/main/scala/org/hyperledger/identus/pollux/core/service/CredentialService.scala

@@ -14,7 +14,7 @@ import org.hyperledger.identus.pollux.core.model.*
 import org.hyperledger.identus.pollux.core.model.error.CredentialServiceError
 import org.hyperledger.identus.pollux.core.model.error.CredentialServiceError.*
 import org.hyperledger.identus.shared.models.WalletAccessContext
-import zio.{IO, ZIO}
+import zio.{Duration, IO, ZIO}
 
 import java.nio.charset.StandardCharsets
 import java.util.UUID
@@ -118,6 +118,7 @@ trait CredentialService {
 
   def generateSDJWTCredential(
       recordId: DidCommID,
+      expirationTime: Duration,
   ): ZIO[WalletAccessContext, CredentialServiceError, IssueCredentialRecord]
 
   def generateAnonCredsCredential(

pollux/core/src/main/scala/org/hyperledger/identus/pollux/core/service/CredentialServiceImpl.scala

@@ -607,11 +607,7 @@ private class CredentialServiceImpl(
     for {
       ed25519keyPair <- getEd25519SigningKeyPair(jwtIssuerDID, verificationRelationship)
     } yield {
-
-      val d = java.util.Base64.getUrlEncoder.withoutPadding().encodeToString(ed25519keyPair.privateKey.getEncoded)
-      val x = java.util.Base64.getUrlEncoder.withoutPadding().encodeToString(ed25519keyPair.publicKey.getEncoded)
-      val okpJson = s"""{"kty":"OKP","crv":"Ed25519","d":"$d","x":"$x"}"""
-      val octetKeyPair = OctetKeyPair.parse(okpJson)
+      val octetKeyPair = ed25519keyPair.toOctetKeyPair
       JwtIssuer(
         org.hyperledger.identus.pollux.vc.jwt.DID(jwtIssuerDID.toString),
         EdSigner(ed25519keyPair),
@@ -1326,6 +1322,7 @@ private class CredentialServiceImpl(
   // Issuer Generating the credential
   override def generateSDJWTCredential(
       recordId: DidCommID,
+      expirationTime: Duration,
   ): ZIO[WalletAccessContext, CredentialServiceError, IssueCredentialRecord] = {
     for {
       record <- getRecordWithState(recordId, ProtocolState.CredentialPending)
@@ -1364,17 +1361,24 @@ private class CredentialServiceImpl(
       preview = offerCredentialData.body.credential_preview
       claims <- CredentialService.convertAttributesToJsonClaims(preview.body.attributes)
       sdJwtPrivateKey = sdjwt.IssuerPrivateKey(ed25519KeyPair.privateKey)
-      didDocResult <- didResolver.resolve(jwtPresentation.iss) map {
-        case failed: DIDResolutionFailed       => CredentialServiceError.UnexpectedError(failed.error.toString)
-        case succeeded: DIDResolutionSucceeded => succeeded.didDocument.authentication.map(x => x)
+      didDocResult <- didResolver.resolve(jwtPresentation.iss) flatMap {
+        case failed: DIDResolutionFailed =>
+          ZIO.fail(CredentialServiceError.UnexpectedError(failed.error.toString))
+        case succeeded: DIDResolutionSucceeded => ZIO.succeed(succeeded.didDocument.authentication)
       }
       now = Instant.now.getEpochSecond
-      in30Days = Instant.now.plus(30, ChronoUnit.DAYS).getEpochSecond // FIXME hardcode 30days
+      exp = claims("exp").flatMap(_.asNumber).flatMap(_.toLong)
+      expInSeconds <- ZIO.fromEither(exp match {
+        case Some(e) if e > now => Right(e)
+        case Some(e) =>
+          Left(CredentialServiceError.UnsupportedVCClaimsValue(s"Error: Expiration Time Not valid or expired :$e"))
+        case _ => Right(Instant.now.plus(expirationTime).getEpochSecond)
+      })
       claimsUpdated = claims
-        .add("iss", issuingDID.did.toString.asJson)
+        .add("iss", issuingDID.did.toString.asJson) // This is issuer did
         .add("sub", jwtPresentation.iss.asJson) // This is subject did
         .add("iat", now.asJson)
-        .add("exp", in30Days.asJson)
+        .add("exp", expInSeconds.asJson)
       credential = SDJWT.issueCredential(
         sdJwtPrivateKey,
         claimsUpdated.asJson.noSpaces,

pollux/core/src/main/scala/org/hyperledger/identus/pollux/core/service/CredentialServiceNotifier.scala

@@ -8,6 +8,7 @@ import org.hyperledger.identus.mercury.protocol.issuecredential.{IssueCredential
 import org.hyperledger.identus.pollux.core.model.{DidCommID, IssueCredentialRecord}
 import org.hyperledger.identus.pollux.core.model.error.CredentialServiceError
 import org.hyperledger.identus.shared.models.WalletAccessContext
+import zio.{Duration, IO, URLayer, ZIO, ZLayer}
 import zio.{IO, URLayer, ZIO, ZLayer}
 
 import java.util.UUID
@@ -151,9 +152,10 @@ class CredentialServiceNotifier(
     notifyOnSuccess(svc.generateJWTCredential(recordId, statusListRegistryUrl))
 
   override def generateSDJWTCredential(
-      recordId: DidCommID
+      recordId: DidCommID,
+      expirationTime: Duration,
   ): ZIO[WalletAccessContext, CredentialServiceError, IssueCredentialRecord] =
-    notifyOnSuccess(svc.generateSDJWTCredential(recordId))
+    notifyOnSuccess(svc.generateSDJWTCredential(recordId, expirationTime))
 
   override def generateAnonCredsCredential(
       recordId: DidCommID

pollux/core/src/main/scala/org/hyperledger/identus/pollux/core/service/MockCredentialService.scala

@@ -7,6 +7,7 @@ import org.hyperledger.identus.mercury.protocol.issuecredential.{IssueCredential
 import org.hyperledger.identus.pollux.core.model.{DidCommID, IssueCredentialRecord}
 import org.hyperledger.identus.pollux.core.model.error.CredentialServiceError
 import org.hyperledger.identus.shared.models.WalletAccessContext
+import zio.{mock, Duration, IO, URLayer, ZIO, ZLayer}
 import zio.{mock, IO, URLayer, ZIO, ZLayer}
 import zio.mock.{Mock, Proxy}
 
@@ -70,7 +71,7 @@ object MockCredentialService extends Mock[CredentialService] {
   object ReceiveCredentialRequest extends Effect[RequestCredential, CredentialServiceError, IssueCredentialRecord]
   object AcceptCredentialRequest extends Effect[DidCommID, CredentialServiceError, IssueCredentialRecord]
   object GenerateJWTCredential extends Effect[(DidCommID, String), CredentialServiceError, IssueCredentialRecord]
-  object GenerateSDJWTCredential extends Effect[DidCommID, CredentialServiceError, IssueCredentialRecord]
+  object GenerateSDJWTCredential extends Effect[(DidCommID, Duration), CredentialServiceError, IssueCredentialRecord]
   object GenerateAnonCredsCredential extends Effect[DidCommID, CredentialServiceError, IssueCredentialRecord]
   object ReceiveCredentialIssue extends Effect[IssueCredential, CredentialServiceError, IssueCredentialRecord]
   object MarkOfferSent extends Effect[DidCommID, CredentialServiceError, IssueCredentialRecord]
@@ -191,9 +192,10 @@ object MockCredentialService extends Mock[CredentialService] {
         proxy(GenerateJWTCredential, recordId, statusListRegistryUrl)
 
       override def generateSDJWTCredential(
-          recordId: DidCommID
+          recordId: DidCommID,
+          expirationTime: Duration,
       ): ZIO[WalletAccessContext, CredentialServiceError, IssueCredentialRecord] =
-        proxy(GenerateSDJWTCredential, recordId)
+        proxy(GenerateSDJWTCredential, recordId, expirationTime)
 
       override def generateAnonCredsCredential(
           recordId: DidCommID

pollux/vc-jwt/src/main/scala/org/hyperledger/identus/pollux/vc/jwt/DidJWT.scala

@@ -56,11 +56,7 @@ class ES256KSigner(privateKey: PrivateKey) extends Signer {
 
 class EdSigner(ed25519KeyPair: Ed25519KeyPair) extends Signer {
   lazy val signer: Ed25519Signer = {
-    val d = java.util.Base64.getUrlEncoder.withoutPadding().encodeToString(ed25519KeyPair.privateKey.getEncoded)
-    val x = java.util.Base64.getUrlEncoder.withoutPadding().encodeToString(ed25519KeyPair.publicKey.getEncoded)
-    val okpJson = s"""{"kty":"OKP","crv":"Ed25519","d":"$d","x":"$x"}"""
-    val octetKeyPair = OctetKeyPair.parse(okpJson)
-    val ed25519Signer = Ed25519Signer(octetKeyPair)
+    val ed25519Signer = Ed25519Signer(ed25519KeyPair.toOctetKeyPair)
     ed25519Signer
   }