a-sit-plus · nodh · Sep 11, 2023 · Sep 1, 2023 · Sep 1, 2023 · Sep 1, 2023
diff --git a/vclib-aries/src/commonMain/kotlin/at/asitplus/wallet/lib/msg/JwmAttachment.kt b/vclib-aries/src/commonMain/kotlin/at/asitplus/wallet/lib/msg/JwmAttachment.kt
@@ -1,16 +1,13 @@
 package at.asitplus.wallet.lib.msg
 
 import at.asitplus.wallet.lib.aries.jsonSerializer
+import at.asitplus.wallet.lib.data.Base64Strict
 import com.benasher44.uuid.uuid4
 import io.github.aakira.napier.Napier
-import io.matthewnelson.component.base64.decodeBase64ToArray
-import io.matthewnelson.component.base64.encodeBase64
-import io.matthewnelson.encoding.base64.Base64
 import io.matthewnelson.encoding.core.Decoder.Companion.decodeToByteArrayOrNull
 import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
 import kotlinx.serialization.SerialName
 import kotlinx.serialization.Serializable
-import kotlinx.serialization.decodeFromString
 import kotlinx.serialization.encodeToString
 
 /**
@@ -33,7 +30,7 @@ data class JwmAttachment(
 
     fun decodeString(): String? {
         if (data.base64 != null)
-            return data.base64.decodeToByteArrayOrNull(Base64())?.decodeToString()
+            return data.base64.decodeToByteArrayOrNull(Base64Strict)?.decodeToString()
         if (data.jws != null)
             return data.jws
         return null
@@ -42,7 +39,7 @@ data class JwmAttachment(
 
     fun decodeBinary(): ByteArray? {
         if (data.base64 != null)
-            return data.base64.decodeToByteArrayOrNull(Base64())
+            return data.base64.decodeToByteArrayOrNull(Base64Strict)
         return null
             .also { Napier.w("Could not binary decode JWM attachment") }
     }
@@ -60,15 +57,15 @@ data class JwmAttachment(
             id = uuid4().toString(),
             mediaType = "application/base64",
             data = JwmAttachmentData(
-                base64 = data.encodeToByteArray().encodeToString(Base64())
+                base64 = data.encodeToByteArray().encodeToString(Base64Strict)
             )
         )
 
         fun encodeBase64(data: ByteArray) = JwmAttachment(
             id = uuid4().toString(),
             mediaType = "application/base64",
             data = JwmAttachmentData(
-                base64 = data.encodeToString(Base64())
+                base64 = data.encodeToString(Base64Strict)
             )
         )
 
@@ -78,7 +75,7 @@ data class JwmAttachment(
             filename = filename,
             parent = parent,
             data = JwmAttachmentData(
-                base64 = data.encodeToString(Base64())
+                base64 = data.encodeToString(Base64Strict)
             )
         )
 

diff --git a/...b-aries/src/commonTest/kotlin/at/asitplus/wallet/lib/aries/DummyCredentialDataProvider.kt b/...b-aries/src/commonTest/kotlin/at/asitplus/wallet/lib/aries/DummyCredentialDataProvider.kt
@@ -7,7 +7,8 @@ import at.asitplus.wallet.lib.agent.IssuerCredentialDataProvider
 import at.asitplus.wallet.lib.cbor.CoseKey
 import at.asitplus.wallet.lib.data.AtomicAttribute2023
 import at.asitplus.wallet.lib.data.ConstantIndex
-import io.matthewnelson.component.encoding.base16.encodeBase16
+import io.matthewnelson.encoding.base16.Base16
+import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
 import kotlinx.datetime.Clock
 import kotlin.random.Random
 import kotlin.time.Duration.Companion.minutes
@@ -60,7 +61,7 @@ class DummyCredentialDataProvider(
         )
     }
 
-    private fun randomValue() = Random.nextBytes(32).encodeBase16()
+    private fun randomValue() = Random.nextBytes(32).encodeToString(Base16(strict = true))
 
 }
 
diff --git a/vclib-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidc/OidcSiopWallet.kt b/vclib-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidc/OidcSiopWallet.kt
@@ -34,7 +34,6 @@ import io.github.aakira.napier.Napier
 import io.ktor.http.URLBuilder
 import io.ktor.http.Url
 import io.ktor.util.flattenEntries
-import io.matthewnelson.component.encoding.base16.encodeBase16
 import io.matthewnelson.encoding.base16.Base16
 import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
 import kotlinx.datetime.Clock
@@ -292,7 +291,7 @@ class OidcSiopWallet(
                     AuthenticationResponseParameters(
                         idToken = signedIdToken,
                         state = params.state,
-                        vpToken = vp.document.serialize().encodeToString(Base16()),
+                        vpToken = vp.document.serialize().encodeToString(Base16(strict = true)),
                         presentationSubmission = presentationSubmission,
                     )
                 )

diff --git a/vclib-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/IssuerService.kt b/vclib-openid/src/commonMain/kotlin/at/asitplus/wallet/lib/oidvci/IssuerService.kt
@@ -4,6 +4,7 @@ import at.asitplus.wallet.lib.agent.Issuer
 import at.asitplus.wallet.lib.cbor.CoseEllipticCurve
 import at.asitplus.wallet.lib.cbor.CoseKey
 import at.asitplus.wallet.lib.cbor.CoseKeyType
+import at.asitplus.wallet.lib.data.Base64UrlStrict
 import at.asitplus.wallet.lib.data.ConstantIndex
 import at.asitplus.wallet.lib.data.VcDataModelConstants.VERIFIABLE_CREDENTIAL
 import at.asitplus.wallet.lib.iso.IsoDataModelConstants.DOC_TYPE_MDL
@@ -22,8 +23,7 @@ import at.asitplus.wallet.lib.oidc.OpenIdConstants.TOKEN_PREFIX_BEARER
 import at.asitplus.wallet.lib.oidc.OpenIdConstants.TOKEN_TYPE_BEARER
 import at.asitplus.wallet.lib.oidc.OpenIdConstants.URN_TYPE_JWK_THUMBPRINT
 import at.asitplus.wallet.lib.oidvci.mdl.RequestedCredentialClaimSpecification
-import io.ktor.http.*
-import io.matthewnelson.encoding.base64.Base64
+import io.ktor.http.URLBuilder
 import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
 import kotlin.coroutines.cancellation.CancellationException
 
@@ -167,8 +167,7 @@ class IssuerService(
         return when (val issuedCredential = issuedCredentialResult.successful.first()) {
             is Issuer.IssuedCredential.Iso -> CredentialResponseParameters(
                 format = CredentialFormatEnum.MSO_MDOC,
-                credential = issuedCredential.issuerSigned.serialize()
-                    .encodeToString(Base64 { encodeToUrlSafe = true; padEncoded = false })
+                credential = issuedCredential.issuerSigned.serialize().encodeToString(Base64UrlStrict)
             )
 
             is Issuer.IssuedCredential.Vc -> CredentialResponseParameters(

diff --git a/...b-openid/src/commonTest/kotlin/at/asitplus/wallet/lib/oidc/DummyCredentialDataProvider.kt b/...b-openid/src/commonTest/kotlin/at/asitplus/wallet/lib/oidc/DummyCredentialDataProvider.kt
@@ -11,7 +11,8 @@ import at.asitplus.wallet.lib.iso.DrivingPrivilege
 import at.asitplus.wallet.lib.iso.ElementValue
 import at.asitplus.wallet.lib.iso.IsoDataModelConstants.DataElements
 import at.asitplus.wallet.lib.iso.IssuerSignedItem
-import io.matthewnelson.component.encoding.base16.encodeBase16
+import io.matthewnelson.encoding.base16.Base16
+import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
 import kotlinx.datetime.Clock
 import kotlinx.datetime.LocalDate
 import kotlin.random.Random
@@ -91,7 +92,7 @@ class DummyCredentialDataProvider(
         return KmmResult.success(listOfAttributes)
     }
 
-    private fun randomValue() = Random.nextBytes(32).encodeBase16()
+    private fun randomValue() = Random.nextBytes(32).encodeToString(Base16(strict = true))
 
     fun buildIssuerSignedItem(elementIdentifier: String, elementValue: String, digestId: UInt) = IssuerSignedItem(
         digestId = digestId,

diff --git a/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/InMemoryIssuerCredentialStore.kt b/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/InMemoryIssuerCredentialStore.kt
@@ -3,7 +3,6 @@ package at.asitplus.wallet.lib.agent
 import at.asitplus.wallet.lib.data.CredentialSubject
 import at.asitplus.wallet.lib.iso.IssuerSignedItem
 import at.asitplus.wallet.lib.iso.sha256
-import io.matthewnelson.component.encoding.base16.encodeBase16
 import io.matthewnelson.encoding.base16.Base16
 import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
 import kotlinx.datetime.Instant
@@ -47,7 +46,7 @@ class InMemoryIssuerCredentialStore : IssuerCredentialStore {
         val list = map.getOrPut(timePeriod) { mutableListOf() }
         val newIndex = (list.maxOfOrNull { it.statusListIndex } ?: 0) + 1
         list += Credential(
-            vcId = issuerSignedItemList.toString().encodeToByteArray().sha256().encodeToString(Base16()),
+            vcId = issuerSignedItemList.toString().encodeToByteArray().sha256().encodeToString(Base16(strict = true)),
             statusListIndex = newIndex,
             revoked = false,
             expirationDate = expirationDate

diff --git a/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/IssuerAgent.kt b/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/IssuerAgent.kt
@@ -9,6 +9,7 @@ import at.asitplus.wallet.lib.cbor.CoseHeader
 import at.asitplus.wallet.lib.cbor.CoseKey
 import at.asitplus.wallet.lib.cbor.CoseService
 import at.asitplus.wallet.lib.cbor.DefaultCoseService
+import at.asitplus.wallet.lib.data.Base64Strict
 import at.asitplus.wallet.lib.data.CredentialStatus
 import at.asitplus.wallet.lib.data.RevocationListSubject
 import at.asitplus.wallet.lib.data.VcDataModelConstants.REVOCATION_LIST_MIN_SIZE
@@ -28,12 +29,9 @@ import at.asitplus.wallet.lib.jws.JwsContentTypeConstants
 import at.asitplus.wallet.lib.jws.JwsService
 import com.benasher44.uuid.uuid4
 import io.github.aakira.napier.Napier
-import io.matthewnelson.component.base64.encodeBase64
 import io.matthewnelson.encoding.base64.Base64
 import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
 import kotlinx.datetime.Clock
-import kotlinx.datetime.DateTimeUnit
-import kotlinx.datetime.plus
 import kotlin.time.Duration
 import kotlin.time.Duration.Companion.hours
 
@@ -221,7 +219,7 @@ class IssuerAgent(
         issuerCredentialStore.getRevokedStatusListIndexList(timePeriod)
             .forEach { bitset[it] = true }
         val input = bitset.toByteArray()
-        return zlibService.compress(input)?.encodeToString(Base64())
+        return zlibService.compress(input)?.encodeToString(Base64Strict)
     }
 
     /**

diff --git a/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/Validator.kt b/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/Validator.kt
@@ -6,6 +6,7 @@ import at.asitplus.wallet.lib.ZlibService
 import at.asitplus.wallet.lib.cbor.CoseKey
 import at.asitplus.wallet.lib.cbor.DefaultVerifierCoseService
 import at.asitplus.wallet.lib.cbor.VerifierCoseService
+import at.asitplus.wallet.lib.data.Base64Strict
 import at.asitplus.wallet.lib.data.IsoDocumentParsed
 import at.asitplus.wallet.lib.data.RevocationListSubject
 import at.asitplus.wallet.lib.data.VerifiableCredentialJws
@@ -24,10 +25,7 @@ import at.asitplus.wallet.lib.jws.JwsSigned
 import at.asitplus.wallet.lib.jws.VerifierJwsService
 import at.asitplus.wallet.lib.toBitSet
 import io.github.aakira.napier.Napier
-import io.matthewnelson.component.base64.decodeBase64ToArray
-import io.matthewnelson.component.encoding.base16.encodeBase16
 import io.matthewnelson.encoding.base16.Base16
-import io.matthewnelson.encoding.base64.Base64
 import io.matthewnelson.encoding.core.Decoder.Companion.decodeToByteArrayOrNull
 import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
 import kotlinx.serialization.cbor.ByteStringWrapper
@@ -90,7 +88,7 @@ class Validator(
             return false
                 .also { Napier.d("credentialSubject invalid") }
         val encodedList = parsedVc.jws.vc.credentialSubject.encodedList
-        this.revocationList = encodedList.decodeToByteArrayOrNull(Base64())?.let {
+        this.revocationList = encodedList.decodeToByteArrayOrNull(Base64Strict)?.let {
             zlibService.decompress(it)?.toBitSet() ?: return false.also { Napier.d("Invalid ZLIB") }
         } ?: return false.also { Napier.d("Invalid Base64") }
         Napier.d("Revocation list is valid")
@@ -190,56 +188,80 @@ class Validator(
      */
     fun verifyDocument(doc: Document, challenge: String): Verifier.VerifyPresentationResult {
         if (doc.docType != DOC_TYPE_MDL)
-            return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+            return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
                 .also { Napier.w("Invalid docType: ${doc.docType}") }
         if (doc.errors != null) {
-            return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+            return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
                 .also { Napier.w("Document has errors: ${doc.errors}") }
         }
         val issuerSigned = doc.issuerSigned
         val issuerAuth = issuerSigned.issuerAuth
 
         val issuerKey = issuerAuth.unprotectedHeader?.certificateChain?.let {
             CryptoUtils.extractPublicKeyFromX509Cert(it)?.toCoseKey()
-        } ?: return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+        } ?: return Verifier.VerifyPresentationResult.InvalidStructure(
+            doc.serialize().encodeToString(Base16(strict = true))
+        )
             .also { Napier.w("Got no issuer key in $issuerAuth") }
 
         if (verifierCoseService.verifyCose(issuerAuth, issuerKey).getOrNull() != true) {
-            return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+            return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
                 .also { Napier.w("IssuerAuth not verified: $issuerAuth") }
         }
 
         val mso = issuerSigned.getIssuerAuthPayloadAsMso()
-            ?: return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
-                .also { Napier.w("MSO is null: ${issuerAuth.payload?.encodeToString(Base16())}") }
+            ?: return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
+                .also { Napier.w("MSO is null: ${issuerAuth.payload?.encodeToString(Base16(strict = true))}") }
         if (mso.docType != DOC_TYPE_MDL) {
-            return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+            return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
                 .also { Napier.w("Invalid docType in MSO: ${mso.docType}") }
         }
         val mdlItems = mso.valueDigests[NAMESPACE_MDL]
-            ?: return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+            ?: return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
                 .also { Napier.w("mdlItems are null in MSO: ${mso.valueDigests}") }
 
         val walletKey = mso.deviceKeyInfo.deviceKey
         val deviceSignature = doc.deviceSigned.deviceAuth.deviceSignature
-            ?: return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+            ?: return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
                 .also { Napier.w("DeviceSignature is null: ${doc.deviceSigned.deviceAuth}") }
 
         if (verifierCoseService.verifyCose(deviceSignature, walletKey).getOrNull() != true) {
-            return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+            return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
                 .also { Napier.w("DeviceSignature not verified") }
         }
 
         val deviceSignaturePayload = deviceSignature.payload
-            ?: return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+            ?: return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
                 .also { Napier.w("DeviceSignature does not contain challenge") }
         if (!deviceSignaturePayload.contentEquals(challenge.encodeToByteArray())) {
-            return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+            return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
                 .also { Napier.w("DeviceSignature does not contain correct challenge") }
         }
 
         val issuerSignedItems = issuerSigned.namespaces?.get(NAMESPACE_MDL)
-            ?: return Verifier.VerifyPresentationResult.InvalidStructure(doc.serialize().encodeToString(Base16()))
+            ?: return Verifier.VerifyPresentationResult.InvalidStructure(
+                doc.serialize().encodeToString(Base16(strict = true))
+            )
                 .also { Napier.w("No issuer signed items in ${issuerSigned.namespaces}") }
 
         val validatedItems = issuerSignedItems.entries.associateWith { it.verify(mdlItems) }
@@ -255,7 +277,9 @@ class Validator(
         val issuerHash = mdlItems.entries.first { it.key == value.digestId }
         // TODO analyze usages of tag wrapping
         val verifierHash = serialized.wrapInCborTag(24).sha256()
-        if (!verifierHash.encodeToString(Base16()).contentEquals(issuerHash.value.encodeToString(Base16()))) {
+        if (!verifierHash.encodeToString(Base16(strict = true))
+                .contentEquals(issuerHash.value.encodeToString(Base16(strict = true)))
+        ) {
             Napier.w("Could not verify hash of value for ${value.elementIdentifier}")
             return false
         }
@@ -307,12 +331,16 @@ class Validator(
         Napier.d("Verifying ISO Cred $it")
         if (issuerKey == null) {
             Napier.w("ISO: No issuer key")
-            return Verifier.VerifyCredentialResult.InvalidStructure(it.serialize().encodeToString(Base16()))
+            return Verifier.VerifyCredentialResult.InvalidStructure(
+                it.serialize().encodeToString(Base16(strict = true))
+            )
         }
         val result = verifierCoseService.verifyCose(it.issuerAuth, issuerKey)
         if (result.getOrNull() != true) {
             Napier.w("ISO: Could not verify credential", result.exceptionOrNull())
-            return Verifier.VerifyCredentialResult.InvalidStructure(it.serialize().encodeToString(Base16()))
+            return Verifier.VerifyCredentialResult.InvalidStructure(
+                it.serialize().encodeToString(Base16(strict = true))
+            )
         }
         return Verifier.VerifyCredentialResult.SuccessIso(it)
     }

diff --git a/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/VerifierAgent.kt b/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/agent/VerifierAgent.kt
@@ -5,7 +5,6 @@ import at.asitplus.wallet.lib.data.VerifiablePresentationParsed
 import at.asitplus.wallet.lib.iso.Document
 import at.asitplus.wallet.lib.jws.JwsSigned
 import io.github.aakira.napier.Napier
-import io.matthewnelson.component.encoding.base16.decodeBase16ToArray
 import io.matthewnelson.encoding.base16.Base16
 import io.matthewnelson.encoding.core.Decoder.Companion.decodeToByteArrayOrNull
 
@@ -58,7 +57,7 @@ class VerifierAgent private constructor(
             return validator.verifyVpJws(it, challenge, identifier)
         }
         val document =
-            runCatching { it.decodeToByteArrayOrNull(Base16())?.let { bytes -> Document.deserialize(bytes) } }.getOrNull()
+            runCatching { it.decodeToByteArrayOrNull(Base16(strict = true))?.let { bytes -> Document.deserialize(bytes) } }.getOrNull()
         if (document != null) {
             return validator.verifyDocument(document, challenge)
         }

diff --git a/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/cbor/CoseHeader.kt b/vclib/src/commonMain/kotlin/at/asitplus/wallet/lib/cbor/CoseHeader.kt
@@ -2,8 +2,6 @@ package at.asitplus.wallet.lib.cbor
 
 import at.asitplus.wallet.lib.iso.cborSerializer
 import io.github.aakira.napier.Napier
-import io.ktor.http.content.ByteArrayContent
-import io.matthewnelson.component.encoding.base16.encodeBase16
 import io.matthewnelson.encoding.base16.Base16
 import io.matthewnelson.encoding.core.Encoder.Companion.encodeToString
 import kotlinx.serialization.ExperimentalSerializationApi
@@ -95,10 +93,10 @@ data class CoseHeader(
         return "CoseHeader(algorithm=$algorithm," +
                 " criticalHeaders=$criticalHeaders," +
                 " contentType=$contentType," +
-                " kid=${kid?.encodeToString(Base16())}," +
-                " iv=${iv?.encodeToString(Base16())}," +
-                " partialIv=${partialIv?.encodeToString(Base16())}," +
-                " certificateChain=${certificateChain?.encodeToString(Base16())})"
+                " kid=${kid?.encodeToString(Base16(strict = true))}," +
+                " iv=${iv?.encodeToString(Base16(strict = true))}," +
+                " partialIv=${partialIv?.encodeToString(Base16(strict = true))}," +
+                " certificateChain=${certificateChain?.encodeToString(Base16(strict = true))})"
     }
 
     companion object {