Very basic issuance matcher that matches against an allowlist of issuer names

QZHelen · QZHelen · commit e244392ea132 · 2025-05-20T15:54:48.000Z
diff --git a/app/src/main/assets/provision.wasm b/app/src/main/assets/provision.wasm
diff --git a/app/src/main/java/com/credman/cmwallet/CmWalletApplication.kt b/app/src/main/java/com/credman/cmwallet/CmWalletApplication.kt
@@ -1,14 +1,23 @@
 package com.credman.cmwallet
 
 import android.app.Application
+import android.graphics.Bitmap
 import android.util.Log
+import androidx.core.graphics.drawable.toBitmap
 import androidx.credentials.DigitalCredential
 import androidx.credentials.ExperimentalDigitalCredentialApi
 import androidx.credentials.provider.CallingAppInfo
 import androidx.credentials.registry.provider.RegisterCredentialsRequest
 import androidx.credentials.registry.provider.RegistryManager
 import androidx.room.Room
 import com.credman.cmwallet.data.repository.CredentialRepository
+import com.credman.cmwallet.data.repository.CredentialRepository.Companion.ICON
+import com.credman.cmwallet.data.repository.CredentialRepository.Companion.ID
+import com.credman.cmwallet.data.repository.CredentialRepository.Companion.LENGTH
+import com.credman.cmwallet.data.repository.CredentialRepository.Companion.START
+import com.credman.cmwallet.data.repository.CredentialRepository.Companion.SUBTITLE
+import com.credman.cmwallet.data.repository.CredentialRepository.Companion.TITLE
+import com.credman.cmwallet.data.repository.CredentialRepository.RegistryIcon
 import com.credman.cmwallet.data.room.CredentialDatabase
 import com.credman.cmwallet.mdoc.MDoc
 import com.google.android.gms.identitycredentials.IdentityCredentialClient
@@ -19,8 +28,12 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.SupervisorJob
 import kotlinx.coroutines.launch
 import org.json.JSONObject
+import java.io.ByteArrayOutputStream
+import java.nio.ByteBuffer
+import java.nio.ByteOrder
 import kotlin.io.encoding.ExperimentalEncodingApi
 
+
 class CmWalletApplication : Application() {
     companion object {
         lateinit var database: CredentialDatabase
@@ -119,7 +132,7 @@ class CmWalletApplication : Application() {
 
         identityCredentialClient.registerCreationOptions(
             RegisterCreationOptionsRequest(
-                createOptions = ByteArray(0),
+                createOptions = buildIssuanceData(),
                 matcher = loadIssuanceMatcher(),
                 type = DigitalCredential.TYPE_DIGITAL_CREDENTIAL,
                 id = "openid4vci",
@@ -157,8 +170,23 @@ class CmWalletApplication : Application() {
         return readAsset("openid4vp1_0.wasm")
     }
 
+    private fun buildIssuanceData(): ByteArray {
+        val walletIcon = resources.getDrawable(R.mipmap.ic_launcher, theme).toBitmap()
+        val iconBuffer = ByteArrayOutputStream()
+        walletIcon.compress(Bitmap.CompressFormat.PNG, 100, iconBuffer)
+
+        val data = CredentialRepository.IssuanceRegistryData(
+            icon = iconBuffer.toByteArray(),
+            title = resources.getString(R.string.app_name),
+            subtitle = "Save your document to CMWallet",
+            issuerAllowlist = listOf("https://digital-credentials.dev", "http://localhost:8080")
+        )
+
+        return data.toRegistryDatabase()
+    }
+
     private fun loadIssuanceMatcher(): ByteArray {
-        return readAsset("provision_hardcoded.wasm")
+        return readAsset("provision.wasm")
     }
 
     private fun loadPhoneNumberMatcher(): ByteArray {
diff --git a/app/src/main/java/com/credman/cmwallet/data/repository/CredentialRepository.kt b/app/src/main/java/com/credman/cmwallet/data/repository/CredentialRepository.kt
@@ -1,11 +1,14 @@
 package com.credman.cmwallet.data.repository
 
+import android.graphics.Bitmap
 import android.os.Build
 import android.util.Log
+import androidx.core.graphics.drawable.toBitmap
 import androidx.credentials.DigitalCredential
 import androidx.credentials.ExperimentalDigitalCredentialApi
 import androidx.credentials.registry.provider.RegisterCredentialsRequest
 import androidx.credentials.registry.provider.RegistryManager
+import com.credman.cmwallet.R
 import com.credman.cmwallet.data.model.CredentialDisplayData
 import com.credman.cmwallet.data.model.CredentialItem
 import com.credman.cmwallet.data.model.CredentialKeySoftware
@@ -112,6 +115,46 @@ class CredentialRepository {
 
     }
 
+    class IssuanceRegistryData(
+        val icon: ByteArray, // Entry icon for display
+        val title: String, // Entry subtitle for display
+        val subtitle: String?, // Entry subtitle for display
+        val issuerAllowlist: List<String>,
+    ) {
+        fun toRegistryDatabase(): ByteArray {
+            val out = ByteArrayOutputStream()
+
+            // Write the offset to the json
+            val jsonOffset = 4 + icon.size
+            val buffer = ByteBuffer.allocate(4)
+            buffer.order(ByteOrder.LITTLE_ENDIAN)
+            buffer.putInt(jsonOffset)
+            out.write(buffer.array())
+
+            // Write the icons, currently write just one, being the wallet logo
+            out.write(icon)
+
+            val json = JSONObject().apply {
+                put("display", JSONObject().apply {
+                    put(TITLE, title)
+                    putOpt(SUBTITLE, subtitle)
+                    val iconJson = JSONObject().apply {
+                        put(START, 4)
+                        put(LENGTH, icon.size)
+                    } // Hardcoded for now
+                    put(ICON, iconJson)
+                })
+                val capabilities = JSONObject()
+                for (iss in issuerAllowlist) {
+                    capabilities.put(iss, JSONObject())
+                }
+                put("capabilities", capabilities)
+            }
+            out.write(json.toString().toByteArray())
+            return out.toByteArray()
+        }
+    }
+
     class RegistryIcon(
         val iconValue: ByteArray,
         var iconOffset: Int = 0
diff --git a/app/src/main/java/com/credman/cmwallet/pnv/PnvTokenRegistry.kt b/app/src/main/java/com/credman/cmwallet/pnv/PnvTokenRegistry.kt
@@ -51,6 +51,7 @@ data class PnvTokenRegistry(
     val providerConsent: String?,
     val subscriptionHint: Int,
     val carrierHint: String,
+    val androidCarrierHint: Int,
     val phoneNumberHint: String?,
     val iss: String,
     val icon: String? = null,
@@ -65,6 +66,7 @@ data class PnvTokenRegistry(
                     listOf(
                         RegistryClaim("subscription_hint", null, subscriptionHint),
                         RegistryClaim("carrier_hint", null, carrierHint),
+                        RegistryClaim("android_carrier_hint", null, androidCarrierHint),
                         RegistryClaim("phone_number_hint", null, phoneNumberHint),
                     ),
                 displayData = ItemDisplayData(title = title, subtitle = subtitle, description = providerConsent),
@@ -94,6 +96,7 @@ data class PnvTokenRegistry(
             providerConsent = "CMWallet will enable your carrier (Terrific Telecom) to share your phone number",
             subscriptionHint = 1,
             carrierHint = "310250",
+            androidCarrierHint = 3,
             phoneNumberHint = "+16502154321",
             iss = "https://example.terrific-telecom.dev",
             icon = "iVBORw0KGgoAAAANSUhEUgAAAA4AAAAWCAYAAADwza0nAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAACBSURBVHgB7ZTBDUVQEEXvff8VoITfC0YZatABHWiH6IUOaICHBCuReXbEWd1kcmZmMRmGIinhSpABFBDoJpqccSKtA/7wY7C71FQ1NUaUyKIg4Ba8MbiJ3YPnqvcnfuI7xAfdqr0qXjU9FTXTGUnca//NIYGdoflla1BbDsPIqZgBHcEomi+uUHMAAAAASUVORK5CYII=",
@@ -110,6 +113,7 @@ data class PnvTokenRegistry(
             providerConsent = "CMWallet will enable your carrier (Timely Telecom) to share your phone number",
             subscriptionHint = 2,
             carrierHint = "380250",
+            androidCarrierHint = 3,
             phoneNumberHint = "+16502157890",
             iss = "https://example.timely-telecom.dev",
             icon = "iVBORw0KGgoAAAANSUhEUgAAAA4AAAAWCAYAAADwza0nAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAACBSURBVHgB7ZTBDUVQEEXvff8VoITfC0YZatABHWiH6IUOaICHBCuReXbEWd1kcmZmMRmGIinhSpABFBDoJpqccSKtA/7wY7C71FQ1NUaUyKIg4Ba8MbiJ3YPnqvcnfuI7xAfdqr0qXjU9FTXTGUnca//NIYGdoflla1BbDsPIqZgBHcEomi+uUHMAAAAASUVORK5CYII=",
diff --git a/matcher/issuance/provision.c b/matcher/issuance/provision.c
@@ -0,0 +1,91 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <stdint.h>
+#include <unistd.h>
+#include "../cJSON/cJSON.h"
+#include "../credentialmanager.h"
+
+#include "launcher_icon.h"
+
+#define PROTOCOL_OPENID4VCI "openid4vci1.0"
+
+cJSON* GetDCRequestJson() {
+    uint32_t request_size;
+    GetRequestSize(&request_size);
+    char* request_json = malloc(request_size);
+    GetRequestBuffer(request_json);
+    return cJSON_Parse(request_json);
+}
+
+cJSON* GetCredsJson() {
+    uint32_t credentials_size;
+    GetCredentialsSize(&credentials_size);
+    char* creds_json = malloc(credentials_size);
+    ReadCredentialsBuffer(creds_json, 0, credentials_size);
+    return cJSON_Parse(creds_json);
+}
+
+int main() {uint32_t credentials_size;
+    GetCredentialsSize(&credentials_size);
+
+    char* creds_blob = malloc(credentials_size);
+    ReadCredentialsBuffer(creds_blob, 0, credentials_size);
+
+    int json_offset = *((int*)creds_blob);
+    printf("Creds JSON offset %d\n", json_offset);
+
+    cJSON* creds = cJSON_Parse(creds_blob + json_offset);
+    printf("Creds JSON %s\n", cJSON_Print(creds));
+    /* 
+      {
+        "display": {
+            "icon": {...},
+            "title": "...",
+            "subtitle": "..."
+        },
+        capability: {
+            "issuer1": {},
+            "issuer2": {}
+        }
+      }
+    */
+
+    cJSON* dc_request = GetDCRequestJson();
+    printf("Request JSON %s\n", cJSON_Print(dc_request));
+
+    cJSON* requests = cJSON_GetObjectItem(dc_request, "requests");
+    int requests_size = cJSON_GetArraySize(requests);
+    for(int i=0; i<requests_size; i++) {
+        cJSON* request = cJSON_GetArrayItem(requests, i);
+        char* protocol = cJSON_GetStringValue(cJSON_GetObjectItem(request, "protocol"));
+        if (strcmp(protocol, PROTOCOL_OPENID4VCI) == 0) {
+            // We have an OpenID4VCI request
+            cJSON* cred_offer = cJSON_GetObjectItem(request, "data");
+            cJSON* credential_issuer = cJSON_GetObjectItem(cred_offer, "credential_issuer");
+        
+            cJSON* capabilities = cJSON_GetObjectItem(creds, "capabilities");
+            if(cJSON_HasObjectItem(capabilities, cJSON_GetStringValue(credential_issuer))) {
+                cJSON* display = cJSON_GetObjectItem(creds, "display");
+                cJSON* icon = cJSON_GetObjectItem(display, "icon");
+                int icon_start_int = 0;
+                int icon_len = 0;
+                if (icon != NULL) {
+                    cJSON* start = cJSON_GetObjectItem(icon, "start");
+                    cJSON* length = cJSON_GetObjectItem(icon, "length");
+                    if (start != NULL && length != NULL) {
+                        double icon_start = (cJSON_GetNumberValue(start));
+                        icon_start_int = icon_start;
+                        icon_len = (int)(cJSON_GetNumberValue(length));
+                    }
+                }
+                cJSON* title = cJSON_GetObjectItem(display, "title");
+                cJSON* subtitle = cJSON_GetObjectItem(display, "subtitle");
+                
+                AddStringIdEntry("0", creds_blob + icon_start_int, icon_len, cJSON_GetStringValue(title), cJSON_GetStringValue(subtitle), NULL, NULL);
+            }
+        }
+    }
+	return 0;
+}
diff --git a/matcher/issuance/provision_hardcoded.c b/matcher/issuance/provision_hardcoded.c
