baseid_oid4vci/

credential.rs

//! Credential request and response types for OID4VCI.

use serde::{Deserialize, Serialize};

/// Token request for the pre-authorized code flow.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TokenRequest {
    /// Grant type — `"urn:ietf:params:oauth:grant-type:pre-authorized_code"` for pre-auth flow.
    pub grant_type: String,
    /// The pre-authorized code from the credential offer.
    #[serde(rename = "pre-authorized_code")]
    pub pre_authorized_code: String,
    /// Optional transaction code (PIN) required by the issuer.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub tx_code: Option<String>,
}

/// Credential request sent to the credential endpoint (OID4VCI 1.0).
///
/// Use `credential_configuration_id` (preferred) or `credential_identifier` to identify
/// the requested credential. The `format` field is kept for backward compatibility
/// but is not required in OID4VCI 1.0.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CredentialRequest {
    /// Credential configuration ID from issuer metadata (OID4VCI 1.0 preferred).
    #[serde(skip_serializing_if = "Option::is_none")]
    pub credential_configuration_id: Option<String>,
    /// Credential identifier from token response authorization_details (OID4VCI 1.0).
    #[serde(skip_serializing_if = "Option::is_none")]
    pub credential_identifier: Option<String>,
    /// Credential format identifier (e.g., "jwt_vc_json", "dc+sd-jwt", "mso_mdoc").
    /// Deprecated in OID4VCI 1.0 — use credential_configuration_id instead.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub format: Option<String>,
    /// Credential definition specifying the type of credential.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub credential_definition: Option<serde_json::Value>,
    /// Proof of possession of the holder's key.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub proof: Option<ProofOfPossession>,
}

/// Proof of key binding sent with a credential request.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ProofOfPossession {
    /// Proof type — typically "jwt".
    pub proof_type: String,
    /// The signed JWT proving key possession.
    pub jwt: String,
}

/// A single credential entry in the credential response.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CredentialEntry {
    /// The issued credential (format depends on the request).
    pub credential: serde_json::Value,
}

/// Credential response from the issuer's credential endpoint (OID4VCI 1.0).
///
/// For immediate issuance, `credentials` contains the issued credential(s).
/// For deferred issuance, `transaction_id` identifies the pending issuance.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CredentialResponse {
    /// Issued credentials (present for immediate issuance).
    #[serde(skip_serializing_if = "Option::is_none")]
    pub credentials: Option<Vec<CredentialEntry>>,
    /// Transaction ID for deferred issuance.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub transaction_id: Option<String>,
    /// Notification ID for credential lifecycle events.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub notification_id: Option<String>,
    /// Polling interval in seconds (deferred issuance).
    #[serde(skip_serializing_if = "Option::is_none")]
    pub interval: Option<u64>,
}

impl CredentialResponse {
    /// Returns the first issued credential, if any.
    pub fn first_credential(&self) -> Option<&serde_json::Value> {
        self.credentials
            .as_ref()
            .and_then(|creds| creds.first())
            .map(|entry| &entry.credential)
    }

    /// Returns true if this is a deferred issuance response.
    pub fn is_deferred(&self) -> bool {
        self.transaction_id.is_some()
    }
}

/// Well-known credential format identifiers from OID4VCI 1.0.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub enum CredentialFormat {
    /// W3C VC signed as JWT (no JSON-LD processing).
    #[serde(rename = "jwt_vc_json")]
    JwtVcJson,
    /// W3C VC secured using Data Integrity proofs.
    #[serde(rename = "ldp_vc")]
    LdpVc,
    /// IETF SD-JWT Verifiable Credential.
    #[serde(rename = "dc+sd-jwt")]
    DcSdJwt,
    /// ISO 18013-5 mobile document (mDL/mdoc).
    #[serde(rename = "mso_mdoc")]
    MsoMdoc,
    /// W3C VC JWT with JSON-LD processing.
    #[serde(rename = "jwt_vc_json-ld")]
    JwtVcJsonLd,
    /// Other/unknown format.
    #[serde(untagged)]
    Other(String),
}

/// Server error codes from OID4VCI 1.0 Section 8.3.2.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub enum ServerErrorCode {
    #[serde(rename = "invalid_credential_request")]
    InvalidCredentialRequest,
    #[serde(rename = "unknown_credential_configuration")]
    UnknownCredentialConfiguration,
    #[serde(rename = "unknown_credential_identifier")]
    UnknownCredentialIdentifier,
    #[serde(rename = "invalid_proof")]
    InvalidProof,
    #[serde(rename = "invalid_nonce")]
    InvalidNonce,
    #[serde(rename = "invalid_encryption_parameters")]
    InvalidEncryptionParameters,
    #[serde(rename = "credential_request_denied")]
    CredentialRequestDenied,
    /// Other/unknown error code.
    #[serde(untagged)]
    Other(String),
}

/// Pre-authorized code grant type constant.
pub const PRE_AUTHORIZED_CODE_GRANT_TYPE: &str =
    "urn:ietf:params:oauth:grant-type:pre-authorized_code";

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn token_request_serialization() {
        let req = TokenRequest {
            grant_type: PRE_AUTHORIZED_CODE_GRANT_TYPE.to_string(),
            pre_authorized_code: "code123".to_string(),
            tx_code: Some("1234".to_string()),
        };
        let json = serde_json::to_value(&req).unwrap();
        assert_eq!(
            json["grant_type"],
            "urn:ietf:params:oauth:grant-type:pre-authorized_code"
        );
        assert_eq!(json["pre-authorized_code"], "code123");
        assert_eq!(json["tx_code"], "1234");
    }

    #[test]
    fn credential_request_with_configuration_id() {
        let req = CredentialRequest {
            credential_configuration_id: Some("UniversityDegree".to_string()),
            credential_identifier: None,
            format: None,
            credential_definition: None,
            proof: None,
        };
        let json = serde_json::to_value(&req).unwrap();
        assert_eq!(json["credential_configuration_id"], "UniversityDegree");
        assert!(json.get("format").is_none());
        assert!(json.get("proof").is_none());
    }

    #[test]
    fn credential_request_with_identifier() {
        let req = CredentialRequest {
            credential_configuration_id: None,
            credential_identifier: Some("CivilEngineeringDegree-2023".to_string()),
            format: None,
            credential_definition: None,
            proof: None,
        };
        let json = serde_json::to_value(&req).unwrap();
        assert_eq!(json["credential_identifier"], "CivilEngineeringDegree-2023");
        assert!(json.get("credential_configuration_id").is_none());
    }

    #[test]
    fn credential_response_immediate() {
        let json = serde_json::json!({
            "credentials": [
                { "credential": "eyJhbGciOiJFUzI1NiJ9..." }
            ]
        });
        let resp: CredentialResponse = serde_json::from_value(json).unwrap();
        assert!(!resp.is_deferred());
        assert_eq!(
            resp.first_credential().unwrap(),
            &serde_json::json!("eyJhbGciOiJFUzI1NiJ9...")
        );
    }

    #[test]
    fn credential_response_multiple_with_notification() {
        let json = serde_json::json!({
            "credentials": [
                { "credential": "cred-1" },
                { "credential": "cred-2" }
            ],
            "notification_id": "3fwe98js"
        });
        let resp: CredentialResponse = serde_json::from_value(json).unwrap();
        let creds = resp.credentials.as_ref().unwrap();
        assert_eq!(creds.len(), 2);
        assert_eq!(creds[1].credential, "cred-2");
        assert_eq!(resp.notification_id.as_deref(), Some("3fwe98js"));
    }

    #[test]
    fn credential_response_deferred() {
        let json = serde_json::json!({
            "transaction_id": "8xLOxBtZp8",
            "interval": 3600
        });
        let resp: CredentialResponse = serde_json::from_value(json).unwrap();
        assert!(resp.is_deferred());
        assert_eq!(resp.transaction_id.as_deref(), Some("8xLOxBtZp8"));
        assert_eq!(resp.interval, Some(3600));
        assert!(resp.first_credential().is_none());
    }

    // --- Spec vector tests ---

    #[test]
    fn spec_vector_credential_response_immediate() {
        let resp: CredentialResponse =
            serde_json::from_str(baseid_test_vectors::oid4vci::CREDENTIAL_RESPONSE_IMMEDIATE)
                .unwrap();
        assert!(!resp.is_deferred());
        let cred = resp.first_credential().unwrap();
        assert!(cred.as_str().unwrap().contains("LUpixVCWJk0"));
    }

    #[test]
    fn spec_vector_credential_response_multiple() {
        let resp: CredentialResponse =
            serde_json::from_str(baseid_test_vectors::oid4vci::CREDENTIAL_RESPONSE_MULTIPLE)
                .unwrap();
        let creds = resp.credentials.as_ref().unwrap();
        assert_eq!(creds.len(), 2);
        assert_eq!(resp.notification_id.as_deref(), Some("3fwe98js"));
    }

    #[test]
    fn spec_vector_credential_response_deferred() {
        let resp: CredentialResponse =
            serde_json::from_str(baseid_test_vectors::oid4vci::CREDENTIAL_RESPONSE_DEFERRED)
                .unwrap();
        assert!(resp.is_deferred());
        assert_eq!(resp.transaction_id.as_deref(), Some("8xLOxBtZp8"));
        assert_eq!(resp.interval, Some(3600));
    }

    #[test]
    fn spec_vector_credential_request_mdoc() {
        let v: serde_json::Value =
            serde_json::from_str(baseid_test_vectors::oid4vci::CREDENTIAL_REQUEST_MDOC).unwrap();
        assert_eq!(v["credential_configuration_id"], "org.iso.18013.5.1.mDL");
        assert!(v["proofs"]["jwt"].is_array());
    }

    #[test]
    fn spec_vector_credential_request_by_identifier() {
        let v: serde_json::Value =
            serde_json::from_str(baseid_test_vectors::oid4vci::CREDENTIAL_REQUEST_BY_IDENTIFIER)
                .unwrap();
        assert_eq!(v["credential_identifier"], "CivilEngineeringDegree-2023");
    }

    #[test]
    fn spec_vector_proof_jwt_header() {
        let v: serde_json::Value =
            serde_json::from_str(baseid_test_vectors::oid4vci::PROOF_JWT_HEADER).unwrap();
        assert_eq!(v["typ"], "openid4vci-proof+jwt");
        assert_eq!(v["alg"], "ES256");
        assert_eq!(v["jwk"]["kty"], "EC");
        assert_eq!(v["jwk"]["crv"], "P-256");
    }

    #[test]
    fn spec_vector_proof_jwt_payload() {
        let v: serde_json::Value =
            serde_json::from_str(baseid_test_vectors::oid4vci::PROOF_JWT_PAYLOAD).unwrap();
        assert_eq!(v["aud"], "https://credential-issuer.example.com");
        assert!(v["iat"].is_u64());
        assert_eq!(v["nonce"], "LarRGSbmUPYtRYO6BQ4yn8");
    }

    #[test]
    fn spec_vector_nonce_response() {
        use crate::token::NonceResponse;
        let resp: NonceResponse =
            serde_json::from_str(baseid_test_vectors::oid4vci::NONCE_RESPONSE).unwrap();
        assert_eq!(resp.c_nonce, "wKI4LT17ac15ES9bw8ac4");
    }

    #[test]
    fn spec_vector_credential_error() {
        let v: serde_json::Value =
            serde_json::from_str(baseid_test_vectors::oid4vci::CREDENTIAL_ERROR).unwrap();
        assert_eq!(v["error"], "unknown_credential_configuration");
    }

    #[test]
    fn spec_vector_token_error() {
        let v: serde_json::Value =
            serde_json::from_str(baseid_test_vectors::oid4vci::TOKEN_ERROR).unwrap();
        assert_eq!(v["error"], "invalid_grant");
    }

    // --- Phase E: Typed enum tests ---

    #[test]
    fn credential_format_serde_known() {
        let formats = vec![
            (CredentialFormat::JwtVcJson, "\"jwt_vc_json\""),
            (CredentialFormat::LdpVc, "\"ldp_vc\""),
            (CredentialFormat::DcSdJwt, "\"dc+sd-jwt\""),
            (CredentialFormat::MsoMdoc, "\"mso_mdoc\""),
            (CredentialFormat::JwtVcJsonLd, "\"jwt_vc_json-ld\""),
        ];
        for (variant, expected) in formats {
            let json = serde_json::to_string(&variant).unwrap();
            assert_eq!(json, expected);
            let parsed: CredentialFormat = serde_json::from_str(&json).unwrap();
            assert_eq!(parsed, variant);
        }
    }

    #[test]
    fn credential_format_serde_unknown() {
        let unknown: CredentialFormat = serde_json::from_str("\"new_format\"").unwrap();
        assert_eq!(unknown, CredentialFormat::Other("new_format".to_string()));
        let json = serde_json::to_string(&unknown).unwrap();
        assert_eq!(json, "\"new_format\"");
    }

    #[test]
    fn server_error_code_serde_known() {
        let code: ServerErrorCode =
            serde_json::from_str("\"unknown_credential_configuration\"").unwrap();
        assert_eq!(code, ServerErrorCode::UnknownCredentialConfiguration);
        let json = serde_json::to_string(&code).unwrap();
        assert_eq!(json, "\"unknown_credential_configuration\"");
    }

    #[test]
    fn server_error_code_serde_all_variants() {
        for code_str in baseid_test_vectors::oid4vci::CREDENTIAL_ERROR_CODES {
            let code: ServerErrorCode = serde_json::from_str(&format!("\"{}\"", code_str)).unwrap();
            let json = serde_json::to_string(&code).unwrap();
            assert_eq!(json, format!("\"{}\"", code_str));
        }
    }
}