SSIkit-based wallet: how to become EBSI conformant from a technical standpoint

[VinceBCD]

Our wallet is based on Walt.id's SSIkit for issuing VC and VP on the Diploma use case. We want to start the process for our wallet to become EBSI conformant and appear on the https://ec.europa.eu/digital-building-blocks/wikis/display/EBSI/Conformant+wallets page.

We will follow the procedure provided by EBSI here https://api-conformance.ebsi.eu/docs/wallet-conformance, but are interested in feedback from Walt.id and other SSIkit based wallet providers on the subject (prerequisites, limitations, scripts, useful tips, etc.)
Thanks for your help

[severinstampler]

Hi @VinceBCD
Thanks for bringing this up. I will try to guide you through the process, since I already did it twice for our ssikit/walletkit.

1. The SSIKit provides all required functionality to handle the EBSI conformance and includes a small test class, that can be executed to run the conformance tests.
   The test class can be found in: id.walt.services.essif.WCTTest

2. I used mitmproxy (v 7.0.4) as an HTTP interceptor to add the conformance headers to the requests coming from the SSIKit, so that the SSIKit itself is agnostic to these test headers:
   https://github.com/mitmproxy/mitmproxy

3. To get started, go to the wallet conformance page and start the first test: Request Verifiable Credentials
   Generate a UUID and copy it. This UUID has to be added as Conformance header to every request (mitmproxy will handle this).

4. Continue on the conformance page and skip over the cross device section (the test will still count for both cross-device and same-device). On the "Issuance Initiation - Same device" section, copy the url of the link "Initiate issuance request".
   Copy the Query parameters after the issuer parameter (starting from credentialType...) of that URL and update them in WCTTest - testIssuanceFlow:

val initiationRequestUri = "openid://initiate_issuance?issuer=${
            URLEncoder.encode(
                EBSI_WCT_ENV,
                StandardCharsets.UTF_8
            )
        }%2Fconformance%2Fv2&credential_type=..."

5. Continue on the conformance page and ignoring the test logs, go to the second test "Present Verifiable Credentials" on the start page.
   Click through the wizard, make sure it shows the same UUID, skip over the cross-device section.
   On the same-device section click "Request authentication", and copy the URL of the link "Initiate authentication request"
   Copy the Query parameters after the redirect_uri parameter (starting from claims=...), and paste them in WCTTest - testVerificationFlow:

val oidcUrl =
            "openid://?scope=openid&response_type=id_token&client_id=https%3A%2F%2Fapi.conformance.intebsi.xyz%2Fconformance%2Fv2%2Fverifier-mock%2Fauthentication-responses&redirect_uri=${
                URLEncoder.encode(
                    EBSI_WCT_ENV, StandardCharsets.UTF_8
                )
            }%2Fconformance%2Fv2%2Fverifier-mock%2Fauthentication-responses&claims=..."

6. Start mitm dump using e.g.:
   ./mitmdump -s mitm-save.py -H "/Conformance/UUID" -m reverse:https://api.conformance.intebsi.xyz -p 8080
   Make sure to replace UUID with your UUID from the conformance test page.
   The -s mitm-save.py uses a custom script to save the request log, if you want to keep it. I'll paste the content of that file at the end of this post. Otherwise remove the argument.

7. Now enable the WCTTest, by setting the return value of WCTEnabled::enabled to true.
   Run the test.

8. Return to the conformance test page and update the Inspect logs section of the second test (shows logs of both issuance and presentation test). If you closed the page, click through the wizard again.
   Confirm that all lights are green. Then file your support ticket at EBSI support desk, where you have the specify your UUID so that they can verify the logs. (I think the link is provided on the logs page)

Let me know if you need help, good luck,
Severin

PS: Here's the content of mitm-save.py, if you want to output a log of the requests with headers and bodies:

from mitmproxy.net.http.http1.assemble import assemble_request, assemble_response

f = open('output.txt', 'w')

def response(flow):
    f.write('\n')
    f.write(assemble_request(flow.request).decode('utf-8'))
    f.write('\n')
    f.write('\n')
    f.write(assemble_response(flow.response).decode('utf-8', 'replace'))
    f.write('\n')
    f.flush()